Downclimb

2015.08.02

Downclimb: Summit Route’s Weekly Cyber News Recap
2015.07.26 – 2015.08.02: https://SummitRoute.com

Quotes

“if you’re supposedly my adversary (i.e. on team defense) and yet you’re sitting right alongside me going “oooh” and “aaah” at whichever software vulnerability then you’re probably in the wrong place, or … I suppose … maybe just in the wrong time.” Bas Alberts

“It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” Alix Jean-Pharuns on Rowhammer

“Google paid $1,337 for Android RCE via MMS aka Stagefright, we pay up to $100,000 for such exploits. We pay big bounties, not bug bounties!” Zerodium

“I might be a little old fashioned, but where I come from we don’t write public advisories for NULL pointer dereference bugs.” jduck in reference to Trend Micro trying to jump on the media blitz around Stagefright by announcing a weaker Android bug they found.

“Honestly if you’re savvy enough to seed your password database with JtR 0day you’ve kinda earned that shell” Dan Kaminsky in response to Solar Designer mentioning they had fuzzed John the Ripper for vulns

” somewhere hackers are hacking, and they’ve got shit to do. None of which includes telling you about it at blackhat or anywhere else.” Bas Alberts

Top stories

Monitoring emails and phishing

Phishing emails that ask someone to wire money are nothing new, but in this twist, the attackers are first gaining access to the mail servers, identifying real business emails involving wire transfers, and then modifying those to direct where wire transfers should be made.

http://www.wsj.com/articles/hackers-trick-email-systems-into-wiring-them-large-sums-1438209816

Stagefright

Stagefright is both the name of the media playback engine in Android and the name of the exploit which is composed of 7 vulns: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829. It uses specially crafted MMS (multimedia messages) and affects Android phones since 2.2 (released in 2010), meaning nearly every Android phone. It was disclosed to Google months ago, and Google fixed it, but because the Android market is so fractured and the various vendors don’t often provide patches, many people will be vulnerable until they buy a new phone.

The original post[1] broke the story, but for details, the best place to look is the Chinese blogs[2,3], and if you want to do some ambulance chasing there is a fuzzer[4,5] already built for this library.

Blog post: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/
Discussion of the individual vulns and patches: https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F7558&edit-text=&act=url
A POC exploit: https://translate.google.com/translate?hl=en&ie=UTF8&prev=_t&sl=zh-CN&tl=en&u=http://drops.wooyun.org/papers/7557
Fuzzing framework for StageFright from someone else: https://github.com/fuzzing/MFFA
Paper on the fuzzer: http://events.linuxfoundation.org/sites/events/files/slides/ABS2015.pdf

Yahoo’s Bounty Stats

Quick stats from Yahoo’s bug bounty. They’ve received 10K submissions, of which 15% were awarded, and have paid out $1M+. 50% of the submissions are from the top 6% of contributors.

http://yahoopolicy.tumblr.com/post/125263109223/yahoos-pays-1m-to-network-vulnerability

Business

Cylance announces $42M Series C: There is a saying in infosec: “Those who use machine learning for security are doing neither.” Cylance is an antivirus vendor that uses machine learning.

Newspaper News

BitDefender hacked: The antivirus vendor BitDefender has been hacked and usernames and plain-text passwords for it’s customers have been compromised.

Conference materials and publications

Infiltrate videos: Infiltrate is an infosec conference focused on offensive research (which is actually all infosec conferences, but at least Infiltrate is honest about it). This is the first time they’ve released videos.
One font vulnerability to rule them all #1: Introducing the BLEND vulnerability Massive post from J00ru at Google P0 discussing the history of fonts on computers.
Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript: Paper and source for a rowhammer attack using Javascript in Firefox.
Technical Details of the S3 Resume Boot Script Vulnerability: Discussion of a vuln in EFI based system firmware and platform configuration when resuming from the S3 sleep state.

Tools

WDK 10 and symbols: The Windows Driver Kit (WDK) for Windows 10 is now available along with symbols for the official Windows 10 release.
libbdvmi: BitDefender has open-sourced their library for x86 virtual machine introspection for Xen. Intro post here. This library is similar to LibVMI and so what it does is help you inspect the memory of a running virtual machine. BitDefender doesn’t state their use case, but one possible use case might be to analyze malware or exploits by running them in a VM, and then inspecting them with this library. It’s really cool to see an AV company open-sourcing some of their work.
BinDiff: New version of the IDA Pro diff’ing plugin is now available with support for Arm64.
Picon: Control Flow Integrity protection implemented as an LLVM compiler along with a monitor app that is used to do the execution integrity. Intro post here. This is an alternative to the NSA’s library released last week.