Skip to content

Category: Hackerterrorcybercyber

Shadowbrokers released NSA exploits, most not 0days any more

The Shadowbrokers released a number of Windows exploits that have been leaked from the NSAs exploit cache.

A lot of blogs and tech opinion pieces appeared, most of them being up in arms about the NSA not only sitting on these exploits, but also not being in communication with microsoft about them since the last 90+ in which these exploits have been known to be compromised.

Turns out, all of these exploits are actually fixed already (or appear not to be working on current platforms in the first place), and though both MS and the NSA do not comment, both parties apparently have been in communication about this.

So the situation is not nearly as dire as those opinion pieces make it look.

So the main question is: have you been patching all your systems up to MS17-010 (March, 14th of 2017), already? And what about your Windows XP habit?

Right. Thought as much.

Leave a Comment

Tumblr of the Day: Roots of Design

I have just finished reading the Project Zero Blog entries about the Broadcom Wifi SoC used in Cellphones, and how to utilise that SoC to take over the main CPU of a phone.

While this is awesome reading, it reminded me about my interest in taking up a career in landscape gardening.

So here is my Tumblr of the Day recommendation for today: Roots of Design, a podcast about… Landscape Gardening.

It’s awesome, exploit free and about design, so it’s everything that IT isn’t.

It’s also defunct, the last episode is from almost 2 years ago, so it has at least something in common with the patch level of your phone.


Signed pointers

So those real hackers keep telling me that back then in the times of the LISP machine they had tagged pointers and stuff.

Those pesky mobile Whizkids at Qualcomm could not let that stand, so they created signed pointers for ARM 8.3. Two families of new instructions have been made, one for signing pointers, the other for checking the signature. How does that work? The PDF at Qualcomm describes the details.

Basically, when pushing a return address onto the stack on subroutine call, that pointer is authenticated with a PAC* instruction, on return that pointer is checked with an AUT* instruction. The actual RET will fail with an address violation if the pointer has been messed with. PAC* and AUT* are out of NOP space, so they can be executed as NOPs on older CPUs.

PAC* signs the return address, AUT* checks it. On pre-8.3 CPUs, they decode as NOP instructions. RETing to an address that does not AUT is an illegal address exception.

A 64 bit pointer in an 40 bit cellphone processor is good for 24 bit signatures, but other partitions are possible depending on address space layout and size.


CVE-2016-10229: Remote UDP Exploit or why did your Nexus want a new kernel this morning?

CVE-2016-10229: Almost perfect score.

CVSS v3 Base Score 9.8 (Critical)

»udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.«

Affects your Linux, and hence all the unupdateable Android you own. Or “why did your Nexus need a reboot this morning?”


Let’s Encrypt and Comodo targeted by Phishers for TLS certs

A netcraft report highlights that both Let’s Encrypt and Comodo have been issuing thousands of domains that in some form or the other contain the words “apple”, “paypal” or “ebay” in them, and that virtually all of these domains are being used for phishing or other fraudulent activities.

Netcraft provides a metric called “Deceptive Domain Score“, and uses the opportunity to promote this service of theirs, requesting that certificate authorities implement a similar service.

In each of these examples above — and in the other statistics referenced above — the certificate authority had sight of the whole hostname that was blocked. These examples did not rely on wildcard certificates to carry out their deception. In particular, some of these examples (such as demonstrate that the certificate authority was better placed to prevent misuse than the domain registrar (who would have seen upon registration).

The two services are attractive to phishers, because they offer TLS certificates for free and through an API, with a very limited screening process. Both services are using the Safe Browsing API to check if the domain being certified does contain malware, but because it usually does not at the time the cert is being issued this is pointless. Netcraft would rather have the CAs buy their Deceptive Domain Scoring service instead.


Curlbash, and Desktop Containers

I was having two independent discussions recently, which started with some traditional Unix person condemning software installing with curlbash (“curl https://… | bash”), or even “curl | sudo bash”.

I do not really think this to be much more dangerous than the installation of random rpm or dpkg packages any more. Especially if those packages are unsigned or the signing key gets installed just before the package.

The threat model really became a different one in the last few years, and the security mechanism have had to change as well. And they have, UIDs becoming much less important.

Desktop containers and Sandboxes have become much more important, and segregation happens now at a much finer granularity (the app level) instead of the user level.


Antivirus assisted attacks

Christian Wressnegger, Kevin Freeman , Fabian Yamaguchi, and Konrad Rieck from TU Braunschweig and University of Göttingen have been experimenting with “Antivirus assisted attacks” (PDF). What is that?

They have been searching for signatures of malware in common Antivirus software that consists of printable characters only. Using these byte sequences, the following becomes possible:

As a consequence, an attacker may finish each iteration over a list of guessed passwords with a set of malicious markers, i.e., specially crafted login names that correspond to anti-virus signatures. If the attacked host is running a virus scanner configured to delete or quarantine viruses, any file containing such a malicious marker is deleted or at least moved to a different location. This not only makes manual investigation of the attack hard but may also inhibit the functionality of tools analyzing log files to stop password guessing, such as fail2ban.

Similar approaches are “making mbox files unavailable by poisoning them with printable malware signatures”, or “using malware signatures as cookie names”.


Android Security Bulletin April 2017 makes Firmware look like WTC after 9/11

The April 2017 Android Security Bulletin is out, and makes Android Qualcomm and Broadcom Firmware look like the WTC straight after 9/11. At this rate we have exhausted the four digit CVE counter for 2017 before Pentecost.

We already know MediaServer is a piece of swiss cheese, but this is about CameraBase, Audioserver, SurfaceFlinger,Telephony, Factory Reset (sic!) and Broadcomm, Qualcomm, NVIDIA, HTC and MediaTek Firmware problems as well.

Much of that is available as binary blob only and never has seen a systematic audit, ever. Hence the CVE list. Multiple Critical, plenty of High.

Your phone does get updates and fixes, does it?