Privilege escalation and file overwrite in X.Org X server 1.19 and later

X.Org security advisory: October 25, 2018

Privilege escalation and file overwrite in X.Org X server 1.19 and later
========================================================================
Incorrect command-line parameter validation in the Xorg X server can
lead to privilege elevation and/or arbitrary files overwrite, when the
X server is running with elevated privileges (ie when Xorg is
installed with the setuid bit set and started by a non-root user).

The -modulepath argument can be used to specify an insecure path to
modules that are going to be loaded in the X server, allowing to
execute unprivileged code in the privileged process.

The -logfile argument can be used to overwrite arbitrary files in the
file system, due to incorrect checks in the parsing of the option.

This issue has been assigned CVE-2018-14665

Background
==========

The commit
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which
first appeared in xorg-server 1.19.0 introduced a regression in the
security checks performed for potentially dangerous options, enabling
the vulnerabilities listed above.

Overwriting /etc/shadow with -logfile can also lead to privilege
elevation since it's possible to control some part of the written log
file, for example using the -fp option to set the font search path
(which is logged) and thus inject a line that will be considered as
valid by some systems.

Patches
=======

A patch for the issue was added to the xserver repository on
October 25, 2018.

https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e

Workaround
==========

If a patched version of the X server is not available, X.Org
recommends to remove the setuid bit (ie chmod 755) of the installed
Xorg binary.  Note that this can cause issues if people are starting
the X window system using the 'startx', 'xinit' commands or variations
thereof.

X.Org recommends the use of a display manager to start X sessions,
which does not require Xorg to be installed setuid.

Thanks
======

X.Org thanks Narendra Shinde who discovered and reported the issue,
and the Red Hat Product Security Team who helped understand all
impacts.

-- 
Matthieu Herrb

SIGMA: A converter that generate searches/queries for different SIEM systems [work in progress]

Although early state, check this out.
Again Florian Roth is sharing this tool with us.

Getting StartedRule Creation

Florian wrote a short rule creation tutorial that can help you getting started.

Rule Usage

1. Download or clone the respository
2. Check the ./rules sub directory for an overview on the rule base
3. Run python sigmac --help in folder ./tools to get a help on the rule converter
4. Convert a rule of your choice with sigmac like python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml
5. Convert a whole rule directory with python sigmac -t splunk -r ../rules/proxy/
6. Check the ./tools/config folder and the wiki if you need custom field or log source mappings in your environment

(This is a special for Erik)

Find comon false-pos in your threat intel DB

Florin Roth offers a neat tool "ti-falsepositives" at GitHUB to identify comon false positives from your IOC database.

Over the years, I've compiled a list of typical false positive hashes that are often included in IOC lists

My favourites are:

• file that contains 1 byte 0x0a
• empty Word documents
• 1x1 JPEG tracking pixel
• 404 error page

The script contains some of them as a static list and generates the rest.

Persistent GCP backdoors with Google’s Cloud Shell

Cloud Shell

Google Cloud Shell provides you with command-line access to your cloud resources directly from your browser without any associated cost. This is a very neat feature which means that whoever is browsing google’s cloud platform website (https://console.cloud.google.com) can immediately jump into performing commands using the gcloud command.

In short, you can install backdoors and due to the lack of monitoing capabilities, no one will ever know ...

PasteJacker

I must admit, that I'm still surprised what "cool" ideas are out there to trick some malicous action to users. - Well, check this out, how while cut'n paste could do you some harm.

PasteJacker

The main purpose of the tool is automating (PasteJacking/Clipboard poisoning/whatever you name it) attack with collecting all the known tricks used in this attack in one place and one automated job as after searching I found there's no tool doing this job the right way 

Now because this attack depends on what the user will paste, I implemented the Metasploit web-delivery module's idea into the tool so when the user pastes into the terminal, you gets meterpreter session on his device 

What's PasteJacking ?

In short, Pastejacking is a method that malicious websites employ to take control of your computers’ clipboard and change its content to something harmful without your knowledge. From The Windows club definition

So here what I did is automating the original attack and adding two other tricks to fool the user, using HTML and CSS Will talk about it then added meterpreter sessions as I said before.

References

• D4Vinci GitHub Repro
• PasteJacking GitHub repo
• Clipboard poisoning attacks on the Mac - Malwarebytes
• Metasploit web-delivery module's source and idea

SMB MiM made easy

SMBetray

Version 1.0.0. This tool is a PoC to demonstrate the ability of an attacker to intercept and modify insecure SMB connections, as well as compromise some secured SMB connections if credentials are known.

This goal of this tool is to switch the aim of MiTM on SMB from attacking the server through relayed connections, to attacking the client through malicious files and backdoored/replaced data when the oppertunity strikes. Finally, since encryption is rarely ever used, at the bare minimum this tool allows for the stealing of files passed in cleartext over the network - which can prove useful for system enumeration, or damaging if the data intercepted is sensitive in nature (PCI, PII, etc).

Watch a demo here

VirtualBox E1000 0day

Not an easy to exploit one, but very interesing though.

Read more from MorteNoir1 here

General Information

Vulnerable software: VirtualBox 5.2.20 and prior versions.

Host OS: any, the bug is in a shared code base.

Guest OS: any.

VM configuration: default (the only requirement is that a network card is Intel PRO/1000 MT Desktop (82540EM) and a mode is NAT).

To send network packets a guest does what a common PC does: it configures a network card and supplies network packets to it. Packets are of data link layer frames and of other, more high level headers. Packets supplied to the adaptor are wrapped in Tx descriptors (Tx means transmit). The Tx descriptor is data structure described in the 82540EM datasheet (317453006EN.PDF, Revision 4.0). It stores such metainformation as packet size, VLAN tag, TCP/IP segmentation enabled flags and so on.

The 82540EM datasheet provides for three Tx descriptor types: legacy, context, data. Legacy is deprecated I believe. The other two are used together. The only thing we care of is that context descriptors set the maximum packet size and switch TCP/IP segmentation, and that data descriptors hold physical addresses of network packets and their sizes. The data descriptor's packet size must be lesser than the context descriptor's maximum packet size. Usually context descriptors are supplied to the network card before data descriptors.

CVE-2018-5407: new side-channel vulnerability on SMT/Hyper-Threading architectures

Farewell to your secret SSL keys is running on a shared environment.

From: Billy Brumley <bbrumley () gmail com>
Date: Fri, 2 Nov 2018 00:12:27 +0200

Howdy Folks,

We recently discovered a new CPU microarchitecture attack vector. The
nature of the leakage is due to execution engine sharing on SMT (e.g.
Hyper-Threading) architectures. More specifically, we detect port
contention to construct a timing side channel to exfiltrate
information from processes running in parallel on the same physical
core. Report is below.

Thanks for reading!

BBB

# Report

We steal an OpenSSL (<= 1.1.0h) P-384 private key from a TLS server
using this new side-channel vector. It is a local attack in the sense
that the malicious process must be running on the same physical core
as the victim (an OpenSSL-powered TLS server in this case).

## Affected hardware

SMT/Hyper-Threading architectures (verified on Skylake and Kaby Lake)

## Affected software

OpenSSL <= 1.1.0h (but in general, software that has secret dependent
control flow at any granularity; this particular application is a
known vulnerability since 2009 only recently fixed)

Ubuntu 18.04 (again, it is really a hardware issue, but anyway this
distro is where we ran our experiments)

## Classification and rating

Tracked by CVE-2018-5407.

CWE wise, I would label it like

CWE-208: Information Exposure Through Timing Discrepancy

At a very high level (e.g. CVSS string), it is similar to this CVE:

https://nvd.nist.gov/vuln/detail/CVE-2005-0109

But the underlying uarch component is totally different. Our attack
has nothing to do with the memory subsystem or caching, and that CVE
is specifically for data caching (e.g. some fixes for CVE-2005-0109 do
not address this new attack vector at all).

## Disclosure timeline

01 Oct 2018: Notified Intel Security
26 Oct 2018: Notified openssl-security
26 Oct 2018: Notified CERT-FI
26 Oct 2018: Notified oss-security distros list
01 Nov 2018: Embargo expired

## Fix

Disable SMT/Hyper-Threading in the bios

Upgrade to OpenSSL 1.1.1 (or >= 1.1.0i if you are looking for patches)

## Credit

Billy Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan, Nicola
Tuveri (Tampere University of Technology, Finland)
Alejandro Cabrera Aldaya (Universidad Tecnologica de la Habana CUJAE, Cuba)

## Refs

https://marc.info/?l=openbsd-cvs&m=152943660103446
https://marc.info/?l=openbsd-tech&m=153504937925732

## Exploit

Attached exploit code (password "infected") should work out of the box
for Skylake and Kaby Lake. Said code, soon to be followed by a
preprint with all the nitty-gritty details, is also here:

https://github.com/bbbrumley/portsmash

Kernel RCE caused by buffer overflow in Apple's ICMP packet-handling code (CVE-2018-4407)

Thanks to Hugo that brought me the news.

Effectivly you can DoS any Apple device that is within the same (W)LAN the attacker resides.

https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407
The vulnerability is a heap buffer overflow in the networking code in the XNU operating system kernel. XNU is used by both iOS and macOS, which is why iPhones, iPads, and Macbooks are all affected. To trigger the vulnerability, an attacker merely needs to send a malicious IP packet to the IP address of the target device. No user interaction is required. The attacker only needs to be connected to the same network as the target device. For example, if you are using the free WiFi in a coffee shop then an attacker can join the same WiFi network and send a malicious packet to your device. (If an attacker is on the same network as you, it is easy for them to discover your device's IP address using nmap.) To make matters worse, the vulnerability is in such a fundamental part of the networking code that anti-virus software will not protect you: I tested the vulnerability on a Mac running McAfee® Endpoint Security for Mac and it made no difference. It also doesn't matter what software you are running on the device - the malicious packet will still trigger the vulnerability even if you don't have any ports open.

Since an attacker can control the size and content of the heap buffer overflow, it may be possible for them to exploit this vulnerability to gain remote code execution on your device. I have not attempted to write an exploit which is capable of doing this. My exploit PoC just overwrites the heap with garbage, which causes an immediate kernel crash and device reboot.

Video: https://youtu.be/aV7yEemjexk

PoC code: https://github.com/unixpickle/cve-2018-4407

Help for preparing the CISSP Exam

Check my new pages here that I did for my CISSP preparation.

German offcial cybercrime report 2017

Find the (german) official cybercrime report done by the german authorities at the BKA-page here.

Cathay Pacific: 10 million customer records stolen

Well, data breaches seem to be a well seen thing at airlines...

If more sensitive data has been leaked from almost 10 million customers.

The sensitive information of nearly 10 million people might have been accessed by cybercriminals. According to the Asian airline operator, hackers might have stolen personal records that include name; nationality; date of birth; phone number; passport number; credit card numbers; email; address; customer service remarks and historical travel information. According to CNN Business, the data leak included approximately 860,000 passport numbers and roughly 250,000 identity card numbers. Cathay might be based in Asia but serves multiple countries across four continents, and the victims include US residents

Reuters:

Windows Defender Antivirus can now run in a sandbox

I'm personally not sure if this will make defender a real good AV solution, but it's using state of the art technology now. We shall check the AV comparsions during the next months to see the detection rates compared to other vendor solutions.

In Microsoft 365, Windows, Windows Defender Advanced Threat Protection, Endpoint Security, Threat Protection, Product Updates, Research

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox. With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.

Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community. It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.

While it was a tall order, we knew it was the right investment and the next step in our innovation journey. It is available to Windows Insiders today. We encourage researchers and partners to try and examine this feature and give us feedback, so we can fine-tune performance, functionality, and security before we make it broadly available.

British Airways: 185K Affected in Second Data Breach

While BA was searching for details and background information an what happened at their last breach, they found another one that leaked 185000 credit card data of customers.

This time, British Airways said that hackers may have also stolen personal data in an attack between April 21 and July 2 this year.

In a statement, the carrier outlined the actions passengers need to take. “While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

“Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.”

IBM buys RedHat

A big merger, in deed. Read some background and what it could mean to the security landscape at an article from darkreading.

"IBM is committed to being an authentic multi-cloud provider, and we will prioritize the use of Red Hat technology across multiple clouds," said Arvind Krishna, senior vice president, at IBM Hybrid Cloud. "In doing so, IBM will support open source technology wherever it runs, allowing it to scale significantly within commercial settings around the world."

F5 Labs: IoT become top attack surface

Surprise, surprise, the insecure IoT-Landscape is threatening all of us and gives the security analyst a hard time but the crooks a good time.

If you got 35 minutes left, read this article about the IoT attacks that F5 brought us here.

The sample analysis of APT-C-27’s recent attack

Some new actions and news about the infamous APT27 group.
I'll update my own writing accordingly.

APT-C-27 is a group that has long been engaged in cyber attacks against Arab countries such as Syria. It mainly uses APK, PE, VBS, JS files as attack vectors, involving Android and Windows platforms, using social networks and spear phishing email to spread malicious payloads.

The malicious sample captured by 360 CERT(360 Computer Emergency Readiness Team) is the Office phishing document with the embedded Package object. From the sample type, the attack was suspected to be delivered to the victim by means of a spear phishing email. The United Nations Relief and Works Agency for Palestine Refugees in the Near East (UNRWA) issued a public letter embedding an important form to induce victims to execute Package objects to carry out attack payloads.

Exploit DB: Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory

This might become the #1 JaliBreak for iOS 11.4 I supose.

io_hideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it putsa mach message which it sends whenever it wants to notify a client that there's data availablein the queue. 
As a client we can modify this mach message such that the server (hidd on MacOS, backboardd on iOS)will send us an arbitrary mach port from its namespace with an arbitrary disposition. 
This is a minimal PoC to demonstrate the issue. Interpose it in to the PoC for P0 1623, Apple issue 695930632 
Attaching two PoCS:
deja-xnu: exploit for this issue on iOS 11.4.1 to get code execution as backboardd, and then trigger p0  issue 1658
dq8: exploit for this issue, and a new exploit for the original pangu variant of this issue to get a real tfp0 on iOS 7.1.2  
Proof of Concept:https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45650.zip

FireEye: APT38: Details on New North Korean Regime-Backed Threat Group

FireEye published the usual, excellent writing about new gatherings of the APT38 brought to us from North Korea.

Read my personal short summary here, or have the complete FireEye articel here and the very, very interesting background details here,

Undetectable C# & C++ Reverse Shells

@Bank_Security is writing about a reverse shell done in C++/C# that is hard/impossible to be detected by AV.

Introduction

On December 2017 i wrote an article about some possible Insider Attacks that using in-memory PowerShell scripts which, months ago, were not detected by the major AV solutions. During last months, after warning all the vendors, they started to detect these attacks. Among the various attacks used in my article there was the opening of a reverse shell through the powersploit script executed directly in memory that is currently detected by most of AV vendors but…

..what would happen if that same behavior was done by a C++/C# program or something else?

Continue the complete article here.