Hey all,
Here are this week’s cyber updates:
(1) In the last emails I’ve
discussed how it is possible to gain unauthorized access to a Linux systems by
pressing the “Enter” key for 70 seconds (https://comsecglobal.com/UserContent/Files/Ashnav/Comsec%20MA%20-%20Dirty%20Cow%20-%20Unauthorized%20Access.pdf)
as well as to Windows (by holding Shift + F10 during Windows 10 update).
This time, it is mac OS’ turn to
be vulnerable to password extraction by exploiting two vulnerabilities:
a. The first issue is that the Mac system does not protect itself
against Direct Memory Access (DMA) attacks before macOS is started.
b. The second is that the password to the FileVault encrypted disk
is stored in clear text in memory, even when the computer is in sleep
mode or locked. When the computer reboots, the password is put in multiple
memory locations within a fixed memory range, making it readable by
hacking devices.
The attack is conducted by connecting a hardware and rebooting the mac. Once the mac is rebooted, the DMA protections that macOS previously enabled, are dropped. The memory contents,
Here are all the details: http://blog.frizk.net/2016/12/filevault-password-retrieval.html?m=1And here’s a PoC video: https://youtu.be/n_3eIFMR46Y
(2) This has not been the week
of macOS, as yet another vulnerability was discovered in this platform. This
time, a backdoor in Skype (yes, you’ve read it right) was discovered.
the backdoor could allow any malicious third-party app to bypass authentication
procedure and provide nearly complete access to Skype on Mac OS X.
Accessing this backdoor is incredibly easy. All the hackers need to do is change a text string in apps to "Skype Dashbd Wdgt
Plugin", and the desktop API would provide access to sensitive features of
Skype.
An attacker or any malicious program abusing this
hidden backdoor could perform the following actions:
o Read notifications of incoming messages (and their contents)
o Intercept, read and modify messages
o Log and record Skype call audio
o Create chat sessions
o Retrieve user contact information
Here are all the details: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-021/?fid=8709
(3) A bug was discovered in
Facebook that allows users to exploit CORS is order
to read your Facebook messages.
Apparently, Facebook forgot to properly set the
access-control-allow-origin header in their chat domain ({number}-edge-chat.facebook.com),
thus allowing a malicious website to send a request to Facebook and retrieve
the content of your chat messages.
Here’s a PoC video: https://youtu.be/F__Fzt7vOwE
(4) It can’t be a Cyber post without discussing Patch Tuesday. This month Microsoft has patched several
products. The most critical one is MS16-144 which allows remote code execution
when the victim surfs to a malicious page.
And as always, more patches to Flash - MS16-154.
Stay tuned for more updates,
Dan
Gurfinkel
Head of
Offensive Security & Response Unit
