Downclimb

2016.11.20

Weekly infosec news summary for 2016.11.13 – 2016.11.20

Top stories

Phone firmware found beaconing home

The company kryptowire discovered several models of inexpensive Android phones had firmware that was beaconing home full-body of text messages, contact lists, call history with full telephone numbers, applications installed, and unique device identifiers (link). It also has the ability to target specific keywords for collection, bypass the Android permission model, and remotely execute commands with elevated privileges. This software was provided to device manufacturers by the company Shanghai Adups Technology Co. Ltd., based in China, with 700 million users of its devices, which range from not only Android phones but also include software in cars and televisions.

The old stand-by for detecting things like this is to put a device on an isolated, well-monitored network and wait and see what it calls out to. A friend of mine once did this for a pirated copy of Windows, and after a month it start beaconing to an IP in Finland. However, this technique will not work when the backdoor has some logic in it. Much like malware that attempts to avoid detection in virtualized environments or from analysts, backdoors can be time gated (such as my friend’s one month delay or this phone firmware’s 72 hour delay), geo-fenced (such as the malicious puush auto-update that only was sent down to users not in Japan), or any other logic you can think of.

Next you have problem of actually identifying what this communication is doing, so reverse engineering is needed. For this firmware backdoor, the data was encrypted making it harder to detect. However, the encryption was simply DES and has a static key across all devices, so anyone with a passive collection can also benefit from this backdoor, and likely can push their own updates if they have a privileged network position.

Just because you see traffic doesn’t always mean it’s malicious. In this case, seeing the text messages getting siphoned up is clearly bad, but if it was just beaconing home for updates with the version and maybe some device identifiers would that be bad? Maybe not, but as in the case of the puush update, malicious updates can be sent down to specific targets. For more on this concept, read my post The Great Graph.

Conference materials and publications

DEF CON 24 videos: DEF CON took place in Las Vegas in July.
POC Slides: The Power of Community conference took place in South Korea two weeks ago.
BSides Lisbon videos: This conference took place in Lisbon, Portugal two weeks ago.

Tools

Visual Studio for Mac: A preview release is of the Microsoft IDE is now available for Macs.
Hopper v4: The disassembler alternative to IDA Pro has a new release with arm64 decompilation.
0xbadfca11/mitigation_test: EMET Mitigation test kit. Contains code to test some of the features of EMET.

Other reads

PoisonTap: This story made a lot of news this week, mostly because people have a weird fascination with trinkets and physical objects when applied to infosec. The project involves making a cheap hardware device act as an Internet gateway, plugging that into a laptop, and then forcing the browser to appear to visit millions of sites as HTTP and then retrieving all the cookies. The concept of creating a network around a device was shown in September by mubix (link) where he used this along with the WPAD issue in Windows to gain access to the system. In opposition to many people’s knee jerk reactions, these tricks have nothing to do with getting physical access to the device. As such, these tricks shouldn’t be “game over”, but the Internet exists in a sad state where encrypted communications are still less common than they should be, and privileged network access is more devastating than it should be. scriptjunkie points out the actions needed to defeat local network attacks in his post here. Another tactic is for the system to take action (in this case shut off) when a new USB device is added by using a project such as hephaest0s/usbkill for Linux and macOS or scriptjunkie also has a similar tool for Windows called WinTheftProtection described in his post How to run a secret drug empire and hide your incriminating evidence.
Risky design decisions in Google Chrome and Fedora desktop enable drive-by downloads: Chris Evans (aka scarybeasts) has started going full-disclosure on issues he is finding with this and another issue (Compromising a Linux desktop using… 6502 processor opcodes on the NES?!). Google Chrome can automatically download files, which could be trouble-some, but isn’t really a problem as those files shouldn’t execute or do anything. The problem, however arises because Fedora automatically indexes new files, meaning it parses them, and it has a bug in its parsing. It seems to parse a ton of things, so this is likely not its only vuln and the parser runs unsandboxed. The parser in question is named “gstreamer1-plugins-bad-free” which indicates it is “bad” and Linux distros should not be enabling this by default (Ubuntu is also affected). In Chris’s other exploit, the problem is also in gstreamer, but to make matters more infuriating, Ubuntu ships with two plugins for parsing the vulnerable file with the default one being vulnerable and the unused one not vulnerable to the flaw identified.
SIP disabled on some new Macs: Many people are finding their new Macs do not have System Integrity Protection (SIP) enabled. This was a big change and security improvement added to the last major version of macOS (El Capitan). It seems this feature has been disabled by accident (and again, it’s only on some Macs, but it’s fairly common). This indicates major quality assurance problems at Apple for not only accidentally disabling a feature, but also for disabling it on only some devices. This feature is enabled by default though on these new models if you do an NVRAM reset (nvram -c), so sadly it looks like consumers should run this when they first obtain their new Macbooks.
CVE-2016-4484: Cryptsetup Initrd root Shell: This issue involves being able to get shell on a system that prompts for the LUKS decryption password by pressing the enter key 93 times when prompted for the password. In this situation, you have shell on a system that still has an encrypted root partition. Don A. Bailey does a good job of describing why this is low severity in his post on this (link).
Adobe fined $1M for their 2013 breach: Due to Adobe’s 2013 data breach that exposed payment records on approximately 38M people, they are being fined a miniscule $1M, or less than $0.03 per person affected.
Increasing Attacker Cost Using Immutable Infrastructure: Diogo Mónica from Docker shows how to do forensics on a Docker image, and also how to better secure them by making them read-only. Diogo also has a good talk on a very dfferent subject from BSides Lisbon, mentioned above, on using MTLS in a Microservices World.
Tetris heap spraying: spraying the heap on a budget: SkyLined writes about a technique he used in a heap spray 10 years ago to identify the amount of RAM on a system. What I really like about this article is the description of how he did this, which is to compare his problem to Tetris and ask “what if the game rules were reversed and you get points for getting a block at the top of the screen as fast as possible?”

To receive a weekly email notification of this newsletter, email scott@summitroute.com

← Previous: Downclimb | Next: How to write security alerts →