Downclimb: Summit Route’s Weekly Infosec News Recap
2014.10.10 – 2014.10.17: https://SummitRoute.com

Top stories

POODLE: Attack on SSLv3

In an attack similar to BEAST, this allows a MiTM attacker to subvert the legacy SSLv3. The recommended solution is to disable SSLv3. The impact of this is similar to Heartbleed, but whereas Heartbleed only needed to be fixed on servers, this requires clients to be updated. Unlike Heartbleed, however, no SSL certificates need to be revoked and renewed. All of the talk and recommendations for this are to help users fix their browsers, but this impacts anything that uses SSL, which is not just browsers. Many applications will use SSL/TLS when they want secure communications, such as chat clients that use XMPP, auto-updates, and mail clients. So these applications must also be updated.

• https://www.imperialviolet.org/2014/10/14/poodle.html

Windows exploits

Patch Tuesday was busy with 3 big exploits that were found being exploited in the wild, in addition to more vulnerabilities.

(CVE-2014-4114) A design flaw in Microsoft Office products allows a fairly easy way of getting remote code execution without memory corruptions when a user opens a PowerPoint file. This exploit is being referred to as Sandworm. This is the type of exploit that EMET does nothing against, but which application white-listing can protect against.

(CVE-2014-4113) Crowdstrike and FireEye discuss a new privilege escalation vulnerability[2,3]. Crowdstrike discusses how they found it and how to detect it, and FireEye discusses how it works. Interestingly, they each seem to have acquired different samples that each use this exploit.

(CVE-2014-4148) FireEye also found an additional in-the-wild exploit using TrueType fonts (TTF)[3]. TTF exploits are especially dangerous because they can be exploited by having the victim visit a webpage and these exploits the kernel so no additional privilege escalation or sandbox escape is necessary.

(CVE-2014-4073) There is yet another privilege escalation, this time with .NET’s use of DCOM[4,5]. Although Microsoft released a patch, the underlying issue apparently has not been fixed, and exploit code is available at [4].

The carnage on Windows isn’t limited to what has been patched. The prolific vulernability researcher who goes by lcamtuf (Michal Zalewski), using his “american fuzzy lop” framework, found vulnerabilities in Firefox and IE[6]. The Firefox vuln was patched, but unfortunately, after 90 days, Microsoft failed to patch for this, so a proof-of-concept has been released.

1. http://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/
2. Crowdstrike write-up: http://blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
3. FireEye write-up: http://www.fireeye.com/blog/technical/targeted-attack/2014/10/two-targeted-attacks-two-new-zero-days.html
4. .NET priv esc with exploit code: http://tyranidslair.blogspot.co.uk/2014/10/a-tale-of-two-net-methods.html
5. MS on the .net pric esc: http://blogs.technet.com/b/srd/archive/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability.aspx
6. http://lcamtuf.blogspot.com/2014/10/two-more-browser-memory-disclosure-bugs.html

FinFisher Analysis

An in-depth analysis of FinFisher malware. I especially like write-ups like this because it shows the techniques and architectures used by the malware authors when they developed their software, instead of a lot of write-ups that just point out IOC’s such as file hashes and what C&C servers are used.

• Part 1: Dropper analysis: https://www.codeandsec.com/FinFisher-Malware-Dropper-Analysis
• Part 2: Main component: https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2
• Part 3: User-mode hooks and DLL injection + MBR analysis: https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-3
• Part 4: Drivers: https://www.codeandsec.com/FinFisher-Shell-Extension-and-Drivers-Analysis

Threat Intelligence

Throught-provoking article from Dave Aitel on the need to avoid having Threat Intelligence simply follow as a re-branding of AV signatures.

• http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13

Docker coming to Windows

Docker for Windows will be demo’d on Oct 30[1]. It will be interesting to see how (or if) they securely isolate the Docker containers. This likely will be built on Microsoft’s research project Drawbridge, which has been in development since 2011[2].

1. http://azure.microsoft.com/blog/2014/10/15/new-windows-server-containers-and-azure-support-for-docker/
2. http://research.microsoft.com/en-us/projects/drawbridge/

Certificate Authorities on mobile devices

Bluebox does a great job of pointing out historical issues with a variety of certificate authorities.

• https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/

Conference materials and publications

• Ruxcon slides
• HITB Malaysia
• LinuxCon: This included a presentation on Qubes
• Black Hat EU: Google archived, due to an oops from Black Hat.

Other reads

• Kmart hacked
• TOR Browser 4.0 released: Due to POODLE, various security patches, and other fixes, a new TOR Browser bundle has been released:
• Usermode sandboxing using Windows integrity levels
• Alternative to FLIRT signatures for IDA
• Vuln for Ruby on Rails + MySQL for password resets
• How to do forensics on an Amazon EC2 instance
• Freenode backdoor analysis: The popular IRC server freenode was compromised a month ago on September 13. This brief write-up discusses the port-knocking technique used to connect to the backdoor.