Downclimb: Summit Route’s Weekly Infosec News Recap
2015.03.22 – 2015.03.29: https://SummitRoute.com

Quotes

“The finite monkey theorem states that a monkey hitting keys at random on a keyboard will almost surely configure sendmail better than you.” sadserver

 

“the computing scientist’s main challenge is not to get confused by the complexities of his own making” Edsger W. Dijkstra

Top stories

troubleshooter: The revenge of GingerBreak

Trivial privilege escalation against SELinux.

• https://github.com/stealth/troubleshooter

Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3

Part 2 of Core Security’s write-up from last week on a Flash exploit shows how to bypass Control Flow Guard (CFG) by using JIT’d code, because CFG only protects functions that are compiled into the binary.

• https://blog.coresecurity.com/2015/03/25/exploiting-cve-2015-0311-part-ii-bypassing-control-flow-guard-on-windows-8-1-update-3/

Dell System Detect RCE vulnerability

The application Dell System Detect spawns an HTTP server that, if passed the right parameters will download and execute an arbitrary file.

• http://tomforb.es/dell-system-detect-rce-vulnerability

Vulnerability Patching: Learning from AVG on Doing it Right.

AVG was using an interesting technique to load their protection DLL into processes. Unfortunately, this technique caused the process to be more vulnerable.

• http://breakingmalware.com/vulnerabilities/vulnerability-patching-learning-from-avg-on-doing-it-right/#more-649

Business

• Lookingglass raised $20M: Lookingglass, based out of Arlington, Virginia, closed a $20M Series B. This follows on their acquisition of CloudShield earlier this month for an undisclosed amount. Lookingglass sells a theat intelligence monitoring platform that feeds data into existing SIEM’s. CloudShield provides deep packet inspection.
• enSilo raised $2-3M: On March 10, the Israeli company enSilo had announced it had raised a round, which is estimated to have been $2-3M. enSilo monitors systems to determine if an attacker is on the system and denies their ability to exfiltrate data.
• Red Canary raised $2.5M: Red Canary, based out of Denver, Colorado, raised $2.5M. Red Canary uses Carbon Black to monitor end-points and feeds that information back for analysis to generate alerts.

Newspaper news

• Slack hacked: The chat platform that has become quite popular over the past year was hacked giving access apparently to the database, where the passwords were properly hashed. Based on what was accessed from the announcement (and from rumors) it seems this was likely SQL injection.
• Hillary Clinton wiped her server before handing it over: After being requested to turn over her private email server to be examined for evidence, Hillary Clinton wiped all the evidence.
• AllCrypt bitcoin exchange hacked: AllCrypt is a bit-coin exchange that was hacked, resulting in the loss of 37 BTC ($9K). There is a lengthy post-mortem[1], with the main take-away being to use 2FA.

Conference materials and publications

• Troopers: Conference took place this week in Heidelberg, Germany. Only some slides available.
  • “Defender Economics” by Andreas Lindh
  • “The hard thing (about hard things)” by thinkst
  • “Reliable & Secure DHCPv6” by Enno Rey
  • “IPv6 Microsegmentation Done Right” by Ivan Pepelnjak
• CanSecWest: Conference took place in Vancouver, Canada.
  • “How Many Million BIOSes Would you Like to Infect?” - Corey Kallenberg and Xeno Kovah
  • “Smart COM Fuzzing: Auditing IE Sandbox Bypass in COM Objects” - Haifei Li and Xiaoning Li
  • “Userland Exploits of Pangu 8” - PanguTeam
  • “DLL Hijacking on OS X” - Patrick Wardle
• SyScan: Conference took place this week in Singapore.
  • “iOS 678 Security - A Study in Fail” - Stefan Esser, and “Bonus Slides - death of the vmsize=0 dyld trick”
  • “HARES: Hardened Anti-Reverse Engineering System” - Jacob Torrey, Paper
  • “BadXNU, a rotten apple! – CodeBlue 2014” - osxreverser: (password: “syscan_rules_blackhat_sucks!”)
  • “Back to the CORE” - Peter Hlavaty
  • “Finding and exploiting novel flaws in Java software” - David Jorm
  • “Cryptographic Backdooring” - JP Aumasson
• Black Hat Asia: In addition to SyScan, Black Hat Asia also took place this week in Singapore.
• Sthack: Took place this week in Bordeaux, France. Most talks were in French.
  • “Dynamic Behavior Analysis Using Binary Instrumentation” - Jonathan Salwan

Tools

• Z3: Z3 is a theorem prover from Microsoft Research that is now open-source. It has been available in binary form for a while and has been popular for bug finders in certain circumstances. The lead developer of Z3 started a different project (also open-source) in 2012, called Lean, which is very similar, but has not gotten as much attention.
• afl-dyninst: American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries.
• Diaphora: Diaphora is an open-source diff’ing plugin for IDA Pro that Joxean Koret announced two weeks ago and has just now released.

Other reads

• Intermediate CA, MCS Holdings, misissued certs: An intermediate certificate authority named MCS Holdings, which received it’s cert from CNNIC (which is trusted by all major browsers and OS’s) issued unauthorized SSL certs for several Google domains. It appears to have been used non-maliciously and according to MCS was only used on a single test system.
• The blackjack vulnerability: The PIN for wifi with WPS could previously be brute-forced in a matter of hours. Now it takes seconds.