Cyber Updates - 17/12

Hey all,

Here are this week’s cyber updates:

(1) In the last emails I’ve discussed how it is possible to gain unauthorized access to a Linux systems by pressing the “Enter” key for 70 seconds (https://comsecglobal.com/UserContent/Files/Ashnav/Comsec%20MA%20-%20Dirty%20Cow%20-%20Unauthorized%20Access.pdf) as well as to Windows (by holding Shift + F10 during Windows 10 update).

This time, it is mac OS’ turn to be vulnerable to password extraction by exploiting two vulnerabilities:

a.      The first issue is that the Mac system does not protect itself against Direct Memory Access (DMA) attacks before macOS is started.

b.     The second is that the password to the FileVault encrypted disk is stored in clear text in memory, even when the computer is in sleep mode or locked. When the computer reboots, the password is put in multiple memory locations within a fixed memory range, making it readable by hacking devices.

The attack is conducted by connecting a hardware and rebooting the mac. Once the mac is rebooted, the DMA protections that macOS previously enabled, are dropped. The memory contents, 

including the password, is still there in plain text. There is a time window of a few seconds before the memory containing the password is overwritten with new content.

Here are all the details: http://blog.frizk.net/2016/12/filevault-password-retrieval.html?m=1And here’s a PoC video: https://youtu.be/n_3eIFMR46Y

(2) This has not been the week of macOS, as yet another vulnerability was discovered in this platform. This time, a backdoor in Skype (yes, you’ve read it right) was discovered. the backdoor could allow any malicious third-party app to bypass authentication procedure and provide nearly complete access to Skype on Mac OS X.

Accessing this backdoor is incredibly easy. All the hackers need to do is change a text string in apps to "Skype Dashbd Wdgt Plugin", and the desktop API would provide access to sensitive features of Skype.

An attacker or any malicious program abusing this hidden backdoor could perform the following actions:

o   Read notifications of incoming messages (and their contents)

o   Intercept, read and modify messages

o   Log and record Skype call audio

o   Create chat sessions

o   Retrieve user contact information

Here are all the details: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-021/?fid=8709

(3) A bug was discovered in Facebook that allows users to exploit CORS is order to read your Facebook messages.

Apparently, Facebook forgot to properly set the access-control-allow-origin header in their chat domain ({number}-edge-chat.facebook.com), thus allowing a malicious website to send a request to Facebook and retrieve the content of your chat messages.

Here’s a PoC video: https://youtu.be/F__Fzt7vOwE

(4) It can’t be a Cyber post without discussing Patch Tuesday. This month Microsoft has patched several products. The most critical one is MS16-144 which allows remote code execution when the victim surfs to a malicious page.

And as always, more patches to Flash - MS16-154.

Stay tuned for more updates,

Dan Gurfinkel

Head of Offensive Security & Response Unit