Weekly infosec news summary for 2017.11.12 – 2017.11.19
"The trend of using Microsoft Office as an Initial Access Vector is becoming less common as bad actors are realizing that Office is probably the best phase 2 & c2 agent you can ask for in a target environment. (Ab)using Microsoft Office to execute scripts, Win32 API, instantiate COM controls, secure communication back to c2 and stay persistent on a machine is the future. Office is the new PowerShell." Greg Linares
"If you want to argue that Apple is more secure than Android, curation of the app store is much more relevant than the relative exploit difficulty." Brad Hill
"Found an interesting vulnerability today: encapsulating an existing username in quotes during sign up would generate a JWT token for username without quotes instead of with quotes. Gotta love a clean account takeover!" Jobert Abma
"TIL many newer systems don't ship with a TPM chip, and instead rely on Intel ME to emulate the TPM, which is called Intel PTT. On these systems, if you were to disable Intel ME for security reasons, you'd be disabling the TPM (and Secure Boot, etc.) too." Brian Smith
Skeleton in the closet. MS Office vulnerability you didn’t know about
Embedi found a vulnerability in MS Office due to some old code from 2000 that is still there link. They started by simply looking for executables that did not have security features. I've pointed out previously how you should be hunting for executables without security features and released SERENE and YARA signatures to help.
Once Embedi had a target executable, they then dug into getting code paths there to run, and used code coverage tools to assist with their hunt against the executable by finding code paths inside it to a function they suspected would be of interest. Because there are no security features such as DEP/ASLR, it was possible to use a simple buffer overflow for exploitation once they had found a vulnerability.
Microsoft released an out-of-band patch for this where they seem to have simply edited the binary by hand, as opposed to recompiling, to fix the vuln (link). The update fixed 6 other buffer flows (link) and they also turned on ASLR, but not DEP. Some comments had been made about how Microsoft must have lost the source code for them to resort to this, but there are all sorts of other reasons to do this, with I think the best reason simply being that this was easier to do than try to retest all the possible changes that can come about from recompiling, especially if they decided to additionally try to use a more modern compiler to take advantage of security features. For example, their build environment back then would not have supported ASLR.
Also, as a result of investigations into this, Will Dormann from CERT/CC discovered that system-wide mandatory ASLR made available by EMET and Windows Defender Exploit Guard does not work effectively on Windows 8 (link).
Chrome OS exploit chain
An exploit chain had been discovered and patched for Chrome OS with $100K being awarded to the anonymous finder (link). This is a short, beautiful read, identifying a wide variety of bug classes.
Conference materials and publications
- "Machine Learning, Offense, and the future of Automation" by Halvar Flake: This keynote from ZeroNights makes the case that ML is not the right tool to use for most defensive purpses, but is for offensive uses.
- AppSecUSA videos: Conference in Orlanda, Florida from September.
- Kaspersky SAS videos: Kaspersky conference for analysts from April.
- CredScan: Project to detect credentials in source code. This is focused on Azure related credentials and is an extension for the Continuous Delivery Tools for Visual Studio, so appears to be only appropriate if you're tied into that ecosystem.
- quad9 DNS resolver: DNS resolver hosted at 184.108.40.206 which will not resolve malicious domains. It also offers DNS over TLS, but you'll need to set up run a local resolver to make use of that.
- Security alerts on GitHub: GitHub has now released their functionality to detect older dependencies with known vulnerabilities and suggest fixes.
- Visual Studio Live Share: Visual Studio and Visual Studio Code (the free version) now allow collaboration while viewing, editing, and even debugging. This means that instead of screen-sharing where only one person is in control and the other is watching, both people can now be active at the same time. The Atom editor also released a similar capability this week (link).
- osquery Across the Enterprise: Post from Palantir on how they use osquery including how they've use it to react to threats.
- China's Ministry of State Security Likely Influences National Network Vulnerability Publications: Recorded Futures follows up on a previous report of their's titled The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting, where they pointed out that the US National Vulnerability Database, which keeps tracks of vulnerabilities as CVE's, lags behind China's National Vulnerability Database (CNNVD). In this post however, Recorded Futures makes the case that when vulns are being leveraged by Chinese APTs, those vulns are not being included in the CNNVD as proactively.
- Huddle race condition: This service had an interesting bug where if two people tried to sign in at the same time, they could both end up logging into one account, meaning one person was given access to someone else's account. This type of issue hints at there being architectural issues.
- Windows Defender Exploit Guard ASR Rules for Office: Shows how to setup rules on Windows for Microsoft Office to prevent it from starting new processes.
- The Motherboard Guide to Not Getting Hacked: As many of you visit with family during the next week (it is Thanksgiving in America) and are asked about security tips, this is one of the better single places to direct people to.
- Remote Code Execution in CouchDB: CouchDB contains two JSON parsers. One parser is used for input validation and the other parser is used to actually do things, and they work differently, so the input validation was bypassed, ultimately leading to RCE.
- afl-unicorn: Part 2 — Fuzzing the 'Unfuzzable': This write-up discusses how to use manual reverse engineering, in conjunction with the AFL fuzzer, to get the fuzzer to work on the part of the code that is of interest to you by allowing you to set a breakpoint on the start of the code of interest. Then you run the process to get to the breakpoint, dump the context, and have the fuzzer work from that context.
- Scamming Scammers By Wasting Their Time: Interesting application of AI to trick scammers into wasting their time when they send phishing emails by having a chatbot respond to them.
- Why I walked away from $30,000 of DJI bounty money: This article is interesting for giving insight into the perspective of a bug bounty hunter and the interactions had with a company. The bug bounty hunter discovers some findings, but doesn't report them until the company will give more clarifications on the scope of the program. The researcher presents the findings, the company tries to claim the issue is not in scope or real, over 130 emails are exchanged, the company decides to pay $30k but with restrictions, lawyers get involved, and ultimately the researcher gives up in working with the company. Both sides seem to have unhealthy views.
If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!