Downclimb: Summit Route’s Weekly Cyber News Recap
2015.06.14 – 2015.06.21: https://SummitRoute.com

Quotes

“I wish you were as strenuous and hard-working at keeping information out of the hands of hackers as you are keeping information out of the hands of Congress and federal employees.” Rep. Stephen Lynch, D-Mass to the OPM director

 

“Bitcoin mining gives us a high-quality estimate of the costs to a well-funded password cracker.” zooko

 

“I imagine myself in 20 years grepping code bases for // YOLO” Natalie Silvanovich

 

“The question was how do you handle the monitoring of the monitoring, known in the industry as the Yo Dawg problem” Roy Rapoport

Top stories

ASLR bypass using MemoryProtection

First there was a post from Ivan Fratric on abusing MemoryProtector to bypass High Entropy Bottom-Up Randomization[1]. Ivan publishes something about once a year, so when he does, you better believe it’s awesome. He mentioned in his post a potential collision between his research and HP Research, and sure enough HP Research published their work[2], including exploit POC.

1. http://ifsec.blogspot.com/2015/06/dude-wheres-my-heap.html
2. http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-and-back-again-a-journey-through-bounty-award-and/ba-p/6756465#.VYSxzPm7b3T

The Duqu 2.0 persistence module

Discussion from Kaspersky of Duqu 2’s “organization-level persistence” where as long as one system is up and infected, the network remains under control of the Duqu 2 actors, because once a system reboots, it will be re-infected.

• https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/

Owning Internet Printing - A Case Study in Modern Software Exploitation

This post from Neel Mehta shows how to chain a couple of vulnerabilities together (including an XSS and a reference counting issue) in order to exploit the open-source printing suite CUPS. In addition to being very detailed, my favorite part is he also discusses the mitigations that could have hindered this exploit.

• http://googleprojectzero.blogspot.com/2015/06/owning-internet-printing-case-study-in.html

Newspaper News

• LastPass hacked: LastPass provides a service to act as a single master password for all your websites so that you can have unique, strong passwords for all the websites you use, but only need to remember one password. It’s been hacked.
• OPM director testimony: Regarding the OPM breach, it looks like yet another organization with gross negligence of it’s security. A prior employee was interviewed who said:

“the Unix systems administrator for the project ‘was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports.’”

• Cardinals Investigated for Hacking Into Astros’ Database: You finally have something to talk to sports fans about.

Business

• ThreatQuotient exits stealth mode: ThreatQuotient has announced the availability of ThreatQ, a Threat Intelligence Platform (TIP), meaning a solution to centralize Threat Intelligence feeds. This seems to be a solution to compete against the open-source MISP. They have received $1.5M in funding to date since being founded in March 2013.
• EnSilo closes $10M Series A: EnSilo has a platform to virtually patch against targetted threats. They closed a $10M round. They obtained some recognition last week for having found and reported the same vuln (CVE-2015-2360) that Duqu 2 used, before Duqu 2 was discovered.
• LinkedIn’s Private Bug Bounty Program: Reducing Vulnerabilities by Leveraging Expert Crowds: LinkedIn discusses the advantages of running a private bug bounty program (invite-only).

Conference materials and publications

• Unauthorized Cross-App Resource Access on MAC OS X and iOS: Discussion of what the authors refer to as XARA, for cross-app resource access attacks, where one app can access the resources granted to another app.
• BlueHat 2014
  • The Attacker’s View of Windows Authentication and Post Exploitation
• Hack In The Box Amsterdam
  • Fuzzing Objects d’ART
• BlackHat EU
  • Same Origin Method Execution (SOME)
• PoC or GTFO 0x08

Tools

• CodeReason: Semantic binary code analysis framework and toolset from Trail of Bits.
• HashFilter: Sample Windows code for a WFP driver and control application to block Internet access for processes.

Other reads

• CVE-2015-1328: incorrect permission checks in overlayfs: Issue affecting all ubuntu systems allowing privilege escalation.
• Analysis of CVE-2015-2360 – Duqu 2.0 Zero Day Vulnerability: Explanation of the vuln used by Duqu 2 to escalate it’s privileges to the kernel.
• E-Detective Lawful Interception System vulns: Fun and simple vulns in a program used for monitoring systems under investigations.
• In-depth analysis of a Dridex malware dropper: Great reversing of Dridex.