So what have I been doing over the last year and a half? Why has this blog gotten so eerily quiet?
You can now pick up a copy at Amazon.
- Metasploit has a new Browser Autopwn module! If you want to learn how it works, take a look at Part 2 of that series.
- There is a new OS X 10.10 local root privilege escalation attack, that is so sophisticated it fits in a tweet. Yeah, it is in Metasploit.
- There is also a new Metasploit module for local privilege escalation on Windows; this affects Windows 7 and Windows Server 2008 R2. The underlying vulnerability is CVE 2015-1701 and was patched by MS 15-051.
- There is another Windows local privilege escalation attack available; this one coming from the results of the Hacking Team. This underlying problem is CVE 2015-2426 and patched by MS 15-078.
- There is a new Metasploit module for Adobe Flash, Adobe Flash Player Drawing Fill Shader Memory Corruption. This targets CVE 2015-3105. The exploit has been tested on a number of combinations, including Windows 7 (32 bit), Flash 188.8.131.52 and IE 11 or Firefox 38.0.5; it also works against Windows 8.1 (32 bit) with Flash 184.108.40.206 and Firefox 38.0.5. More interestingly, it also works against Mint 17.1 (Rebecca) (32 bits) with Firefox 33.0 and Adobe Flash 220.127.116.110. This success against Linux targets differentiates this Flash exploit from previous ones.
- There is another new Metasploit module for Adobe Flash, Adobe Flash Player ShaderJob Buffer Overflow; this one exploits CVE 2015-3090. Like the previous, this one also hits both Windows and Linux targets, including Windows 7 SP1 (32 bit) with Flash 18.104.22.168 and either IE11 or Firefox 38.0.5; Windows 8.1 with FLash 22.214.171.124 and Firefox 38.0.5, and Mint 17.1 (Rebecca) (32 bits) with Firefox 33.0 and Adobe Flash 126.96.36.1997.
- As proof positive that I have spent too much time on my book and not enough on the blog, here is a third Metasploit module attacking Adobe Flash; this one exploits CVE 2015-5122 and impacts a range of Adobe Flash versions, including Adobe Flash 188.8.131.52 on Windows 8.1 (32 bit). Take a look at the module’s source code for a list of tested targets.
- Another new module is VNC Keyboard Remote Code Execution, which attacks VNC servers on Windows or Linux.
- Did you know it is possible to perform SSL certificate verification on your Metasploit shells? Well, I didn’t.
- There is a Metasploit module module to forge certificates to allow and SSL MITM attack. The underlying problem, CVE 2105-1793 impacts OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c. Qihoo 360 has some technical details of the flaw.
- There is a local privilege escalation attack now available for Ubuntu 15.04, 14.10, 14.04, and 12.10. The underlying vulnerability is CVE 2015-1328.
- Cisco apparently has default SSH keys on a number of their applicances.
- Vlad Tsyrklevich has an interesting discussion on the state of the 0-day market based on fallout from the Hacking Team dumps.
- One of the attacks described in my forthcoming book is a brute force attack against an SSH server. Well, there is now a better way to run such attacks, at least against OpenSSH. Try Ars Technica for some perspective.
- One interesting bit of fallout from the Hacking Team leak is the fact that they had a UEFI BIOS rootkit that would provide persistence across even replacing the hard drive.
So, where have I been for the last month? Lots of grading! However, that is now done, and my students have graduated into the wide wide world (Good luck all!).
The book is moving along smartly. The first draft is finished- 750 pages of hacking goodness. Technical reviews is about half finished, and we are looking at publication in a few more months.
In the meantime though, there has been a lot of news….
- For years I relied on Sourceforge as a location to find high quality open source tools. Well it seems that they have gone over to the dark side, and are now adding adware to Windows installers for projects on their site. This became big news when GIMP announced this had happened to them. For some details, see Ars Technica.
- There is a new local privilege escalation exploit for Windows 8 that has appeared at Exploit-db. This is a Python based exploit that attacks CVE 2014-4113 and was patched in MS 14-058. I tried the exploit on a couple of virtual machines though, and could not make it work.
- There is a new local privilege escalation exploit for Windows 7 (x86) that has appeared at Exploit-db. This one appears to attack CVE 2015-0003 and was patched in MS 15-010.
- There is also a new local privilege escalation exploit available for recent Ubuntu systems using apport; this one also appeared at Exploit-db. This exploits
CVE 2015-1325, though this has not yet made it into the official MITRE database.
- There is a new Metasploit module that exploits Flash 184.108.40.206 on Windows 7 SP1. The underlying vulnerability is CVE 2015-0359.
- Don’t forget about the latest name brand vulnerability, VENOM (CVE 2015-3456). This affects QEMU and Citrix Xen.
- Talking about exploits, have you read about the proposed arms control restrictions on exploits?
- Raphael Mudge has another nice post on how to use Mimikatz to pass the hash.
- There is a trojaned version of PuTTY in the wild. Be sure to check those hashes folks! FCIV is your friend here.
- There is a nice summary of NCCDC from the Red Team point of view on Lockboxx.
- Have you considered writing your own Snort rule to detect Meterpreter reverse HTTP shells?
- As someone who has coached three different teams to the finals of the National Collegiate Cyber Defense Competition, let me say that Raphael Mudge’s analysis is spot on and hugely helpful. Mind you, there is a difference between knowing what Red Team wants to do, and being able to meaningfully stop them…..
- If you are looking for a nice write-up on MS 14-068, head over to Veris Group and read what one of my ace former students has to say.
- There is a new denial of service attack against Minecraft servers.
- If you want to see a technical analysis of MS 15-034, the recently announced vulnerability in HTTP.sys, you might want to head over to Security Swift and a recent piece by Mike Czumak.
- Metasploit is developing a DoS exploit to attack MS15-034. I wonder how long it will be before this becomes remote code execution.
- If you want to see some of the technical details behind the recent Chinese attack against GitHub, check out Netresec.
- There is a (post-authentication) backdoor available for pfSense firewalls. This backdoor was used extensively during the 2015 SECCDC. Sam Cappella talks about his experience on Red Team at the SECCDC, including the development of the backdoor.
- One interesting area of research over the last few years has been looking at statistical patterns of people’s passwords. Take a look at the recent blog post of Julian Dunning to get a better handle on the question.
- CVE 2015-1862 is a vulnerability in Linux systems that can potentially result in privilege escalation. Tavis Ormandy has proof of concept exploits.
- The New York Times has a piece on how car thieves might be able to break into cars using a power amplifier.
- There is a new Metasploit privilege escalation exploit for Mac OS X, named “Rootpipe”. The underlying vulnerability is CVE 2015-1130.
- An older way to attack Windows systems is to pass a URL like file://a.b.c.d to Internet Explorer; then Windows attempts to authenticate via SMB and so credentials can be harvested. It turns out that HTTP redirects (302) can be used to accomplish the same task.
- There is a proof-of-concept exploit for CVE 2015-0240, which is a vulnerability in Samba.
- Have you seen this interesting approach to attacking Gnome screensavers?
- Here is a neat piece on detecting debuggers. Not my area of expertise at all, but an interesting read nevertheless.
Congratulations to UMBC, who won the just completed Mid-Atlantic Collegiate Cyber Defense Competition. The University of Maryland came in second and we at Towson came in third. Thanks go to the organizers, especially Lewis Lightner for putting on a professional event. Thanks also go to the red team (captained by Rob Fuller); they are all volunteers who take time out of their schedules to come down and help teach my students. Well done all!
- Raphael Mudge has an excellent post on the red team perspective of the first five minutes of a CCDC event. If you haven’t seen how the CCDC event runs, students are given (usually) older unpatched systems, and the start of the event is utter mayhem as students try to change default passwords and update systems while the red team is busy pwning all the things and setting up persistence. He ends with the question- should it be this way? As a professor and coach, I say emphatically no. The just completed MACCDC event had students defending unpatched Windows 2000 and Windows 2003 servers and a Red Hat 7.2 server. Most defensive tools don’t work on such antiques, and the threat model is just silly. Why does CCDC rely on such old systems? MS 08-067. This, along with default credentials is the usual way (not the only way) that red team gets its initial footholds on systems. When I teach my class (which uses these types of exercises extensively) we do not use anything older than Windows 7 / 2008 R2. The systems are unpatched, but not vulnerable to remote network attacks like MS 08-067. To ensure red team gets a solid foothold, student teams are restricted to choose passwords from a small list; they are also required to open any emails received, visit any requested web pages, and run and received programs. This gives red team a variety of ways to get in, which means students can zero in on one or two attack types; they also get to use and deploy many other defensive tools (EMET or SRP anyone?). Competitions differ somewhat from classes, but as competition systems move towards virtualization there is no reason why the competition could not include unprivileged users on workstations doing all of the things real users do- opening carefully prepared packages of joy sent by attackers. If we don’t move to a model like this, the day will come when students are asked to defend systems that are older than they are.
- While I am thinking about the Red Team- the Nyan cat that was used to overwrite all of those MBRs is available.
- Lockboxx has a write-up on the just completed WRCCDC from the Red Team perspective.
- The Metasploit module to exploit Firefox 31-34 (CVE 2014-8636) is now available.
- Are you unsure how to set up and execute a reverse shell? Check out Arr0way who has put together an excellent cheat sheet.
- Did you know that Metasploit has a post module to search through local Outlook email messages?
- Windows registry keys can be made more difficult to examine by using non ASCII characters.
- It looks more and more like it is time to move away from RC4 in TLS.
- There is a new Metasploit module to exploit Adobe Flash player. Currently the module is restricted to only Internet Explorer on Windows 7 running Adobe Flash player 220.127.116.11. The underlying vulnerability is CVE 2015-0138 which is reported to impact Adobe Flash player before 18.104.22.1689 and 14.x through 16.x before 22.214.171.1245 on Windows and OS X and before 126.96.36.1992 on Linux. The post from Project Zero at Google on this issue is well worth reading.
- Older versions of Windows were vulnerable to an attack that exploited how Windows handles shortcut files; there is an existing and a new Metasploit module to attack the problem; the vulnerability is CVE 2010-2568 and was patched in MS 10-046. Mostly. It turns out that the patch does not quite solve the problem, and there are two new Metasploit modules that are able to exploit the issue, even if MS10-046 is installed on Server 2003 SP2, or if MS14-027 is installed on Server 2008 SP2. (Sigh). The underlying vulnerability is now named CVE 2015-0096 and it was patched in MS15-020.
- openEMR 4.2.0 suffers from both Cross site scripting and SQL injection vulnerabilities.
- If you want to see how Red Team approached the pacific regional CCDC event this past weekend, take a look at the blog from LockBoxx.
- Did you know that you can grab plaintext passwords from a memory dump of lsass? Mimikatz for the win.
- Would you like to learn more pivoting using SSH and/or Meterpreter? Take a look at the post from Arr0way.
- Did you know it is possible to run man-in-the-middle attacks against MSSQL?
- Here is a neat trick that can recover a MySQL password without restarting the MySQL daemon.
- If you are a student looking at different ways to maintain persistence on a Windows system, you might want to take a look at the approach of blakhal0, who uses Windows scheduled tasks.
- RIP Terry Pratchett.
+++ Divide By Cucumber Error. Please Reinstall Universe And Reboot +++
— (Terry Pratchett, Hogfather)
- The big news of the week is the rowhammer attack which exploits hardware level features of DRAM chips. In particular, repeated accesses in one part of a memory row can flip a bit in an adjacent row. If that bit controls whether the process has read-write access to its own memory, then the attack can be leveraged to cause privilege escalation.
- Incursus Absconditus has a nice piece that shows how to hijack existing SSH connections.
- Did you know that it is possible to perform a full packet capture on a Windows box, beginning with system boot without using tools like Wireshark or tcpdump?
- GreyHatHacker.NET summarizes a number of techniques that can be used to bypass Windows UAC (User Account Control).
- Business Insider has an infographic that shows the largest data breaches by time.
- If you are a student (and aren’t we all students?) you might be interested in a nice piece by Mark Vavrusa entitled What a C programmer should know about memory.