Monday, December 26, 2016

Cyber Updates - 26/12

Hey all,
Here are this week’s cyber updates:

(1) PHPMailer was found to exposed to a critical remote code execution vulnerability (CVE-2016-10033).
While the security researcher didn’t yet published a working exploit (due to his responsible disclosure), by looking into the diff between version 5.2.17 and 5.2.18 (the patched version) it appears that the “from” email address is not validated. Thus, it is possible to inject commands into that parameter that will later be executed by the OS.

PHPMailer is used by several open-source projects, including: WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla. 

Clients are requested to update their PHPMailer version immediately.

(2) An SQL injection vulnerability exists in Panasonic Avionics, allowing malicious users to affect the entertainment system in your flight. While illegal, you can try to exploit it the next time you fly with American Airlines, United, Virgin, Emirates, Etihad, Qatar, FinnAir, KLM, Iberia, Scandinavian, Air France, Singapore, or Aerolineas Argentinas. Just in case you had any doubt, I am not telling you to hack these systems and I will definitely not bail you out if you’ve chosen to so J


(3) In a “surprising” timing after this incident, Gogo, one of Panasonic Avionics major competitor, has engaged with a new bug bounty program, asking security researches to find vulnerabilities in their product.
The company’s products are used by numerous airlines, such as: Aeroméxico, Aer Lingus, American Airlines, Air Canada, Alaska Airlines, Beijing Capital, British Airways, Delta Air Lines, GOL, Hainan Airlines, Iberia, Japan Airlines, JTA, United Airlines, Vietnam Airlines, Virgin America and Virgin Atlantic.

(4) This Xmas has brought a surprising “gift” to UK Groupon users. Many of them have reported that their account was hacked.
Groupon says there hasn't been any security breach of its own site or app, but acknowledges it's seen a series of cases where fraudsters have managed to hack into Groupon accounts after accessing log-in and password information via third party websites. In other words, Groupon blames their clients and does not intend to do anything about it.


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Sunday, December 18, 2016

Cyber Updates - 17/12

Hey all,
Here are this week’s cyber updates:

(1) In the last emails I’ve discussed how it is possible to gain unauthorized access to a Linux systems by pressing the “Enter” key for 70 seconds (https://comsecglobal.com/UserContent/Files/Ashnav/Comsec%20MA%20-%20Dirty%20Cow%20-%20Unauthorized%20Access.pdf) as well as to Windows (by holding Shift + F10 during Windows 10 update).
This time, it is mac OS’ turn to be vulnerable to password extraction by exploiting two vulnerabilities:
a.      The first issue is that the Mac system does not protect itself against Direct Memory Access (DMA) attacks before macOS is started.
b.     The second is that the password to the FileVault encrypted disk is stored in clear text in memory, even when the computer is in sleep mode or locked. When the computer reboots, the password is put in multiple memory locations within a fixed memory range, making it readable by hacking devices.

The attack is conducted by connecting a hardware and rebooting the mac. Once the mac is rebooted, the DMA protections that macOS previously enabled, are dropped. The memory contents, 
including the password, is still there in plain text. There is a time window of a few seconds before the memory containing the password is overwritten with new content.



(2) This has not been the week of macOS, as yet another vulnerability was discovered in this platform. This time, a backdoor in Skype (yes, you’ve read it right) was discovered. the backdoor could allow any malicious third-party app to bypass authentication procedure and provide nearly complete access to Skype on Mac OS X.
Accessing this backdoor is incredibly easy. All the hackers need to do is change a text string in apps to "Skype Dashbd Wdgt Plugin", and the desktop API would provide access to sensitive features of Skype.
An attacker or any malicious program abusing this hidden backdoor could perform the following actions:
o   Read notifications of incoming messages (and their contents)
o   Intercept, read and modify messages
o   Log and record Skype call audio
o   Create chat sessions
o   Retrieve user contact information


(3) A bug was discovered in Facebook that allows users to exploit CORS is order to read your Facebook messages.
Apparently, Facebook forgot to properly set the access-control-allow-origin header in their chat domain ({number}-edge-chat.facebook.com), thus allowing a malicious website to send a request to Facebook and retrieve the content of your chat messages.

Here’s a PoC video: https://youtu.be/F__Fzt7vOwE

(4) It can’t be a Cyber post without discussing Patch Tuesday. This month Microsoft has patched several products. The most critical one is MS16-144 which allows remote code execution when the victim surfs to a malicious page.
And as always, more patches to Flash - MS16-154.

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Thursday, December 8, 2016

Cyber Updates - 08/12

Hey all,
Today I’d like to introduce you to Stegano  - a new exploit kit that was recently in use by malicious ads.

The exploit kit uses MS16-037 (a vulnerability for I.E.) to check if it runs on a malware analysis system. Based on server-side logic, the target is then served either a clean image or a malicious one: a script encoded in its alpha channel (which defines the transparency of each pixel). The script then redirects the user to another URL which attempts to exploit 3 different vulnerabilities for Flash (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the victim’s Flash version.

The attached image illustrates the attack.

What is interesting to note is that the exploit creators did not want it to be discovered. As such, the malware is not executed if one of the following processes/modules is running on the system:
                 vmtoolsd.exe
                 VBoxService.exe
                 prl_tools_service.exe
                 VBoxHook.dll
                 SBIEDLL.DLL
                 fiddler.exe (luckily for us, they also check if the tool is installed, so all Comsec’s consultants are in the clear )
                 charles.exe
                 wireshark.exe
                 proxifier.exe
                 procexp.exe
                 ollydbg.exe
                 windbg.exe

Here are all the details:

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Thursday, December 1, 2016

Cyber Updates - 01/12

Hey all,
Here are this week’s cyber updates.

As you can see there are many updates and many vulnerabilities published this week, but trust me - it’s worth reading them all.

       (1) Are you using a rooted-Android device? If so, don’t use the Tesla app if you own a Tesla car.
Security researchers managed to steal a Tesla car by hacking the owner’s phone.
Tesla’s app generates an OAuth token when a Tesla owner logs into the Android app for the first time. The app then uses this token, without requiring the username and password combination, every time the owner re-opens the app. This OAuth token is then stored in plain text within the device’s system folder which can be accessed by privileged root user only.

By installing an app which roots the Android device (or installing the app on an already rooted device), the attackers can read the OAuth token from the Tesla app.

          (2) If you are running an Android device, you might have been infected with the new “Gooligan” malware.
The malware is installed as part of legitimate (or not so legitimate) apps downloaded from Google Play. It is already installed on more than 1,000,000 devices; the malware roots the device (usually by exploiting CVE-2013-6282 or CVE-2014-3153), and steals email addresses and access tokens. This means that their owners’ Google accounts were hacked.
The owners of Gooligan wanted to earn some extra cash, so they install an adware on infected devices. However, they wanted to gain more money, so they started buying their apps on Google Play – on your expenses!

Luckily for us, CheckPoint has built a tool that allows everyone to check if their email address was compromised. Feel free to check if your email is infected in the following URL: https://gooligan.checkpoint.com/ (really feel free to do so, otherwise the malware will cause you to pay much more J).

      (3) Two weeks ago I’ve written about an unauthorized access to a Linux machine by pressing the “Enter” key for 70 seconds (https://comsecglobal.com/UserContent/Files/Ashnav/Comsec%20MA%20-%20Dirty%20Cow%20-%20Unauthorized%20Access.pdf).

Apparently, Microsoft wanted to have their go on weird keystrokes combo. A BitLocker-bypass privilege escalation exploit was discovered this week: by holding Shift + F10 during Windows 10 update procedure, an attacker can gain SYSTEM privileges to the workstation.
The SHIFT+F10 feature has existed with earlier versions of Windows as well, and could also be used to bypass BitLocker on Windows 7 and 8, but the feature has become a real flaw only with Windows 10 in-place upgrades.

Most of us (myself included) leave the PC unattended while installing Windows updates. During this time, anyone with local access to the machine can open execute malicious commands with SYSTEM privileges, despite BitLocker's presence.

There is no fix for this vulnerability (yet), making it a 1-day vulnerability.

Check out this URL for more details and PoC video: http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html


      (4) The notorious Mirai botnet was used once again and this time has targeted the a German ISP (Deutsche Telekom).
This time, a remote code execution flaw was discovered on the router. In particular, the NewNTPServer part of a SOAP request was used to download and execute a file in order to infect the vulnerable devices, which, by default, expose the service to all users by listening on port 7547 (used by ISP to manage routers).

The really bad news is that the exploit closes port 7547 to prevent other attackers from hacking to the same machine. While a Shodan search from a couple of days ago presented over 41 million vulnerable devices, now we can see less than 100,000 (meaning that either the ISP acted really fast by closing the port, or that the hackers were fast on their hacking attempts, I’ll let you guess who’s faster J).

More information about the payload can be found in the following URL: https://securelist.com/blog/incidents/76791/new-wave-of-mirai-attacking-home-routers/

Oranizations are requested to check if their routers were infected by checking their logs for DNS queries to the following websites:
(i)                timeserver.host
(ii)              securityupdates.us
(iii)             tr069.pw
(iv)             srrys.pw
(v)        l.ocalhost.host



      (5) Do you think your privacy is protected if you’re using Tor?
A JavaScript 1-day exploit is currently being exploited via a memory corruption flaw in Firefox web browser. This allows the attacker to determine the true IP address of the user, as well as compromising the entire machine.

PoC code of the JavaScript code can be found in the following URL:

Customers who use Tor to mask their privacy can check if they’ve been compromised by checking if their machine has communicated with the attacker’s C&C server (5.39.27.226:80).
This exploit is very similar to the 2013 Tor exploit used by the FBI.

(6) San Francisco commuters have used the merto for free in the last couple of days. No, the mayor didn’t want you to ride free of charge, but had to allow everyone to ride for free as their payment systems were infected by a ransomware.
The city was requested to pay a ransom of 73,000$ to the hacker, but instead decided to roll back to a recent backup (after receiving the advice from the FBI).

BTW, someone managed to hack the hacker’s mailbox (by guessing the answer to the secret question) and provided a history of their ransoms: since August the hacker extorted at least $140,000 in Bitcoin from victim organizations. The hacker has targeted websites vulnerable to the Java unserialize exploit.

      (7) Google Chrome had a (low risk) bug that Microsoft wouldn’t patch for 2 years. This may help you for your reconnaissance phase during an infra P.T.


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit