Category Archives: Application Development

Out of memory bounds implication – a never ending story

Preface

In cyber security world, we are in frequent heard a term privileges escalation. IT guy familiar buffer overflow causes privileges escalation vulnerability of Windows 2000 operating system. Seems buffer overflow issue not only happened in Microsoft product, even through you are using Linux. It will happen. As of today, Apple iPhone and Google Android phone are possible encountered this technical issue. But what’s the major element trigger this cause. It includes software application , operating system driver, Libraries and programming language!

Out of memory bounds status similar a ninja, he can bypass ASLR protection

Above design limitation is an example to show the out of memory bounds concern in computer world. Yes, this issue cover all the computer world and not only limited on Microsoft products. But what is the design difficulties of system designer (OS kernel or software driver)? Basically, the system designer has flexibility to use the memory address in their design. The overall status was changed because of malware born in the computer world. Regarding to my study in Microsoft Technet blog discussion so far. It was a tremendous hard job.

We might feel that Windows 2012R2 design looks perfect since it is a mature product since it summarizes the technical weakness and design limitation experiences in former products (Windows 2008, Windows 2000 and NT). But a technical issue found in 2015 bring me to attention of this matter. The issue was that system owner only delete network interfaces on a server that is running Windows Server 2012 R2 or Windows Server 2012, a random and intermittent crashes on the system

  • 0xD1: DRIVER_IRQL_NOT_LESS_OR_EQUAL
  • 0X139: KERNEL_SECURITY_CHECK_FAILURE
  • 0x3B: SYSTEM_SERVICE_EXCEPTION

Symptom occurs on system platform: Windows Server 2012 R2 or Windows Server 2012. Some cluster nodes that are running Windows Server 2012 R2 or Windows Server 2012 go down because of the corruption in NDIS and netcfg.

This case reveal to the computer world that memory under the memory protection features (Address space layout randomization protection (ASLR) and Data Execution Prevention (DEP) ). Kernel and driver designers are also headache in this matter. The key word “Prefect” does not appear in realistic world. Those memory protection facilities not prefect. Should you have interested of this item. Please refer below url for reference.

Hints: Cyber security experts aware that memory reuse and privileges escalation. The above our of memory bounds informative diagram specially show an idea how does hacker execute the malicious code of program in user mode instead of kernel mode.

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

My bias pin point to Microsoft product, let’s jump to Linux world.

The BYOD and IoT devices empower Linux operating system digital world achievement. It looks that a lot of people similar to my opinion! They will accept the excuse to this baby (Linux). As far as we know, the best partner of Linux is the C or C++ programming language. There are two ways of memory accessible to the programmer.

a. User’s virtual memory space in which application to run.

b. Register memory

From technical point of view, similar embarrass situation (memory corruption) has been occurred in Linux operating system.

  • Buffer overflow – Overwrite beyond allocated length
  • Index of array out of bounds: (array index overflow – index too large/underflow – negative index)
  • Using an address before memory is allocated and set. In this scenario the memory location is NULL or random. It is a run time error occurs when you try to point illegal memory space, usually address 0 which is reserved for OS.
  • Pointer persistence – Function returning a pointer from the stack which can get overwritten by the calling function (in this case main()):

In fact that the smartphone operating system especially Android, the cyber attack hit rate are equivalent to common office automation software application. For more details, please see below diagram for reference.

To conduct a review of the cyber attack.The cyber attack target memory address is not a new findings in mobile phone world. For instance, Huawei mobile phone encountered Out-of-Bounds Memory Access Vulnerability in the Boot Loaders on April 2017 (CVE-2017-8149). Regarding to CVE record details, this vulnerability affects an unknown function of the component Boot Loader. The manipulation as part of a Parameter leads to a memory corruption vulnerability (Out-of-Bounds). The vendor comment is that if vulnerability successful exploit. The impact could cause out-of-bounds memory read, leading to continuous system reboot.

My comment in regards to this technical issue (out of memory bounds)

The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

How about in programming language, will it happen in this area?

Yes, it will happen. See what’s going on in programming language now! PHP is a server-side scripting language designed primarily for web development but also used as a general-purpose programming language. But there is no excuse given to PHP language. Details shown as below:

Out-of-bounds memory read via gdImageRotateInterpolated (CVE-2016-1903)

Details: The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted image file could cause a PHP application using the imagerotate() function to disclose portions of the server memory or crash the PHP application.

Conclusion:

Memory out of bounds looks will be happen in digital world. Sounds like a tumor in animals and human body. The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

Life is not easy especially IT world. But sometimes it have fun! Wishes Merry X’mas and Happy New year.

Perspective of e-Wallet Vulnerability

Preface:

Java, NodeJS, Python, ObjC with Xcode and GO are the popular programming language for develop of e-wallet application. It looks that some of the programmer favor of Java language since it is a common programming language.

New technology, but targeting approach by hacker remain unchanged

Reporting of Cybersecurity Incidents – InfoSec Resources

Jul 2017 – Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Nov 2017 – Parity wallet vulnerability freezes US$278 million of ethereum. The company patched the bug encountered on July 2017. However the code still present bugs and therefore freeze the crypto currency in the wallet.

* Ethereum wallet is implemented in C++ programming language

Feb 2012 – exposes a PIN vulnerability in Google Wallet security.

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

Common Security Vulnerabilities in a Digital Wallet

  • The registration process does not identify fraud verification of the user’s information card information.
  • Develop programming language encountered design limitation (vulnerability).

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

How is e-wallet different from cryptocurrency wallet on cyber security viewpoint?

Bitcoin is a cyrptocurrency. You need a wallet to keep your bitcoins. But Bitcoin underlying technology is block chain which cannot be counterfeited. If ever there is an issue with a transfer of funds, Bitcoin protocol settles it through consensus.

The e-wallet currency is traditional currency.It uses the secure 256bit Advanced Encryption Standard (AES) for encrypting information in your wallet. If a hacker tries a brute force attack relies on computer enter possible random-number strings at top speed it would take more than a billion years to exhaust all the possibilities.

Observation: It  looks that  both type of wallet contained hack proofed feature. But is there any underlying reason make those wallet in risk?

The Java, NodeJS, Python, ObjC with Xcode and GO are the main trend of the programming language today. Why does application developer like Java? Java is a platform Independent. Means Java does not depend on hardware and OS. Java platform fully compatible with all computers. Even through it is a mainframe computer. However the cyber security incidents from past awake the IT world that even though you are using block-chain technology platform. The other side of end point might encounter cyber attack which causes data breach or compromised of both machines. From security point of view, the overall risk rating for e-business applications including cryptocurrency or traditional currency payment transfer system are equal.

Traditional way bring people consider endpoint security but ignore other possibilities factors which are in risk!

About programming language

Python

Language: Python is a dynamically type language. Java is better characterized as a low-level implementation language.

Use of VARIABLE: No requires to declare any variables. You can mix object-oriented and imperative programming you run the code directly.

Run time speed: Slower than Java

Java

Language: Java is a statically typed language. Python is much better suited as a “glue” language.

Use of Variable: Requires to define the type of each variable, it’s object oriented in the sense that you cannot write any code without defining a class, you also invoke a compiler to compiler the code then you can run it.

Runtime speed: Run faster than python

Node.js

Language: Node.js is not a programming language. The programming language is Javascript. But Node.js not similar JavaScript framework. A group of authors define a new frameworks specifically for Node.js, It includes Express.js, Restify.js, and Hapi.js.

Use of Variable: When you declare methods without using var (function <function_name>() {}), those function declarations are moved to the top of the local scope. If you manually declare you functions, you have to wait until they are both declared before you can use them.

Runtime speed: Refer to benchmark table

C++ vs. Python vs. PHP vs. Java vs. Others performance benchmark (2016 Q3)

GO

Language: Go is an open source programming language designed for building simple, fast, and reliable software. The introduction phase for GO is written in C. The libraries are written by google developer itself. Now the compiler has been rewritten in Go, so it is fully self-hosting by Google.

Variable: The type of variable is automatically judged by the compiler based on the value passed to it.

Runtime speed: Refer to below benchmark table

ObjC with Xcode

Language: Xcode supports C, C++, Objective-C, Objective-C++, Java, AppleScript, Python, Ruby, Rez, and Swift source code with a variety of programming models, including but not limited to Cocoa, Carbon, and Java.

Variable: It is important to note that ObjC does not support class variables. But developer can simulate static variables

Runtime speed: Objective-C is slightly slower than straight C function calls because of the lookups involved in its dynamic nature.

Security Focus

 

Since no bug proof software or hardware in the world and therefore the practical operation expose the design weakness (vulnerability). Refer to informative diagram table below , Java and php looks unsecure because of the accumulate vulnerability records.

But why Java and PHP programming language are popular in the IT world. Even though Node.js framework make use of Java language. I believe that it is the fate of the IT product market. Perhaps Java bring security worries to the world. However java language provide a comprehensive functions. E-wallet looks has benefits running on Apple iPhone OS. Since it is a proprietary environment. From security prospective, it is better than opensource OS since it looks a black hole. Perhaps vulnerability occurs, the vendor (Apple) will conduct the remediation immediately. As mentioned iOS is a proprietary environment and such away avoid multiple vulnerabilities occurs simultaneously.

Example of multiple vulnerabilities: For instance Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products (September 2017). On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. However those vulnerability affected a series of Cisco products since those voice and media management products deployed Apache Structs 2.

E-Wallet on top of mobile device platform

The Near Field Communication (NFC) payment wallets designed by GSMA program project. It relies on SIM based technique support the payment service in past. But Android M break the ice develop other alternative for online payment electronic wallet. From security point of view, the new android system architecture of the design provide sandbox feature enhance the security (see below). If we believe that it is a trustworthy environment then we move our security concerns to e-wallet SDK.

Most likely the technology trend will be form into two different way. The retail shop remain to use near field communication technique secure the payment transaction. For online payment transaction like Master card, Paypal and Alipay will lead the online payment solution. As mentioned the vulnerability found in online e-wallet SDK more or less will involved in programming language. For more details, please see below:

Instance 1: A cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter (CVE-2017-6099).

Instance 2: The Android source code file (internal/telephony/SMSDispatcher.java) does not properly construct warnings about premium SMS messages, which allows attackers to spoof the premium-payment confirmation dialog via a crafted application, aka internal bug 28557603 (CVE-2016-3883)

Reference: Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01

Instance 3: Inappropriate implementation of the web payments API on blob: and data: schemes in Web Payments in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to spoof the contents of the Omnibox via a crafted HTML page (CVE-2017-5110).

Instance 4: Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Refer to above details, the argument can confirm that programming language is the important factor in e-wallet development. Even through it is a cryptocurrency wallet. The overall security level of protection for a eletronic payment system must include programming language as a major factor.

End of discussion……!

Information Supplement (under observation)

Typically, a program consists of instructions tell the computer what to do. Thus what types of data will be used when it is running will be responsible by variable. In the Java programming language, the words field and variable are both one and the same thing. Variables are devices that are used to store data, such as a number, or a string of character data. The enumerate() is one of the built-in Python functions. It returns an enumerate object. In our case that object is a list of tuples (immutable lists), each containing a pair of count/index and value. However variable can be rebound at any time, so no consistent use as an enumerator. This is a vulnerability encountered in python.

* An enumeration is a set of symbolic names (members) bound to unique, constant values.

But comparing with Java and Python CVE checklist. It shown that Python programming language hit vulnerability less than Java programming language .

 

 

Layer 7 (application layer) – What is the information security key factors?

Preface:

We heard shocking news this year especially EQUIFAX breach. The hackers accessed up to 143 million customer account details earlier this year. Thereafter a data breach happened on July 29 and the details taken include names, social security numbers, drivers licences, and credit card numbers of around 200,000 people. Perhaps you could said that the incident given by vulnerability on Apache component Struts CVE-2017-5638. A design limitation was found in the Jakarta Multipart parser. A proof of concept shown that we can set the Content-Type to an OGNL expression such as:

Content-Type: ${(#_='multipart/form-data').

The Content-Type is not escaped after the error, and is then used by LocalizedTextUtil.findText function to build the error message. This function will interpret the supplied message, and anything within ${…} will be treated as an Object Graph Navigation Library (OGNL) expression. As a result the attacker can leverage these conditions to execute OGNL expressions that in turn execute system commands (see below diagram for reference).

API security is important today especially the API infiltration

So far includes myself only focusing in ring 0 attack. It looks that information security bring my attention to kernel hooking. Once upon a time, kernel hooking looks like it is everything. I think it might have similarity and such a way anti-virus manufacturer address in the same place. But when do we awake? I believed that it is the Java application century. API security level equivalent to kernel level.

Actually the defense mechanism not difficult to detect the malware on 32-bit operating system. For instance, on a 32-bit windows system, antivirus software may use SSDT hooking (System Service Dispatch Table hooking). Using SSDT hooking, the Antivirus software can prevent attacks based on the APIs being called by the malicious software.

So, it looks secure that once modern antivirus installed, right?
But what is the reason let cyber attack victims growth rapidly? Even though IDS , firewall and modern antivirus software was deployed?

Closer Look details

Windows 7 x64 is shipped with Patch Guard which doesn’t allow to hook SSDT/MSRa/code section. Disabling PatchGuard is the 1st priority of objective for malware. Since we are the system owner and therefore it is easy to disable the Patch Guard function in your 64 bit window operating system by yourself. The instruction displayed below:

Type msconfig, Go to the boot tab and delete the patched boots.

Or running the following commands in a root-shell and restarting the PC afterwards.

Bcdedit /debug ON
Bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200 /start AUTOENABLE /noumex 

As we know, malware couldn’t conduct manual driven job task. If malware is going to find their target named function. It must go to the correct memory address (refer to table 1). But the objective of the PatchGuard is protect the following data and structures.

• Modifying system service tables, for example, by hooking KeServiceDescriptorTable

• Modifying the interrupt descriptor table (IDT)

• Modifying the global descriptor table (GDT)

• Using kernel stacks that are not allocated by the kernel

• Patching any part of the kernel (detected only on AMD64-based systems)

Remark: The inline hooking 3 step slogan. However it doesn’t work since patch guard is enable.

  1. The Hook – A 5 byte relative jump which is written to the target function in order to hook it, the jump will jump from the hooked function to our code.
  2. The Proxy – This is our specified function (or code) which the hook placed on the target function will jump to.
  3. The Trampoline – Used to bypass the hook so we can call a hooked function normally.

How malware trim down himself, then go to kernel level. How to bypass antivirus or malware detector?

Attempt 1. Find out design limitation on web portal then using the scripting API or dynamic JSP inject command. One of the example has shown from our discussion first page. Try to find out vulnerability on web server side module or component. Or find our the weakness of  programming design (see below for reference) then inject system command.

But is there additional way to conduct API infiltration?

Attempt 2. Hooking Shared Library Function Calls

Phenomenon: Apache web server deployment high coverage in the world. However not less Apache servers are running on Windows operating system.

Variables factor: enable patchguard and ASLR (those functions might be make hack activities more difficulties)

Below diagram is the reference of example how does inline hook jumping to malicious code and then executing the original function.

Since defense function was strengthen today. Antivirus embedded malware detection function, Microsoft PatchGuard verify the instruction and ASLR conduct random address function limit malware infection and therefore below traditional way of cyber attack can not work well!

  • DLLs loaded at runtime into process address space
    For kernel32 – target private addres space between 0x00010000 and 0x7FFE0000
  • Hiding files in a directory
    Replace FindFirstFile(),FindNextFile() in Kernel32 to skip rootkit files

Is there any benefits in below attack methods?

DirectX/OpenGL APIs and time functions – Typically hooked to implement cheating in on-line games.

Status: Possibility high, under our observation.

Winsock API – Hooked to monitor network traffic.

Status: It was happened in frequent. Under observation now.

But a security gap still valid because of today fast growth business strategy

Further to my study on cyber attack incident over past few months, a hints to me that API hook technique on layer 7 (application layer) is the key milestone of hacker today. See below cyber incident records for reference:

February 2017 –  The internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data.

Incident root cause analysis: Search engines like Google and Bing that crawl the web, though, automatically cached the errant data—everything from gibberish to users’ Uber account passwords and even some of Cloudflare’s own internal cryptography keys—making it all easily accessible through search.

June 2017 (It discovered the data breach June 19): 198 Million Voter Records Exposed

Incident root cause analysis: Misconfiguration isn’t a malicious hack in itself. However such incident shown to the world that a wide range of component could be impact the information security world. A misleading message bring people major focus on operatio system level from past.

July 2017 (It discovered the hack on July 29) : Equifax recently had 143 million customer records breached in a hack.

Incident root cause analysis: Found security weakness on patch management in IT  operation and vulnerability awareness. The incident given by vulnerability on Apache component Struts CVE-2017-5638.

A major unknown area will be transformed to hacker new target

Technology zone:  The IP telephony technology integrated with  TCP stack more than decade. However business operation keen to enhance the functional features. And therefore do the customization for system integration is hard to avoid. We seen some network communications hardware vendor will be involved in the application interface technologies. Modern business world more tough and demanding competition. Looks  Cisco also become the victim on former vulnerability hiccups. For more details, please see below url for reference.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Summary: Seems, I did not has final checkpoint guide me to drawn any conclusion on this discussion. Hey Guy, keep your eye open. There will be more strange things happened in today such demanding and tough business world!

Be a happy Sunday. I remain with my best regards.

 

Reference table 1:

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

Preface:

A simple question was asked by kernel? Why I was hacked even though I have comprehensive protective system?

Background:

The windows Operating System development team fully understand relies on market anti virus might not protecting their core OS significantly. Since the computer user not only using Microsoft word processing application. They are allow the 3rd party application vendor run on top of their operating system.
They provides security defense mechanism to 3rd party software developers on their OS products since 2002. Such advanced protective mechanism also apply to windows XP SP2 and windows server 2003.

Introduction – Microsoft Comprehensive protective system for 3rd party application development (cookbook)

Top 3 protection features overview

Stack buffer overrun detection

The Detection  capability was introduced to the C/C++ compiler in Visual Studio .NET.  The /GS switch only inserts checks into function that it “recognizes as subject to buffer overrun problems.

Mitigation scheme – add below instruction in a commonly used header file to increase the number of functions protected by /GS:

#pragma strict_gs_check(on)

Preventing the SEH Overwrites with SEHOP

Structured Exception Handling (SEH) is a Windows mechanism for handling both hardware and software exceptions consistently. In many cases, an attacker will choose to overwrite the exception handler function pointer with an address that contains instructions that are equivalent to a pop reg, pop reg, ret. This allows an attacker to reliably execute arbitrary code by transferring control to the EstablisherFrame that the exception dispatcher passes as the second parameter when calling an exception handler. (see below diagram for reference)

Remark: The SEH overwrite technique uses a software vulnerability to execute arbitrary code by abusing the 32-bit exception dispatching facilities provided by Windows.

Mitigation scheme:

Adding dynamic checks to the exception dispatcher that do not rely on having metadata derived from a binary. This is the approach taken by SEHOP. SEHOP achieves this functionality in two distinct steps.

  1. Insertion of a symbolic exception registration record as the tail record in a thread’s exception handler list.
  2. Ensure that the symbolic record can be reached and that it is valid

Below diagram illustration of this logic:

 

Address space layout randomization (ASLR)

Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. By default, Windows Vista and later will randomize system DLLs and EXEs. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. It provides random stack and heap allocations and page load every time a process starts. Even though system process was hacked. The malware cannot execute shellcode theoretically.

Below articles are my research on ASLR topic on Virtual Machine and other operation system . Should you have interest. Please review below articles for reference.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

The enemy of ASLR (Address space layout randomization) – memory leak

But why was hacked ?

Technical insight –  It looks that using ASLR feature protect windows OS products are perfect. But the cyber security incident happened from past proven that ASLR is hard to avoid side-channel attack. For instance, the vulnerabilities (CVE-2016-7260 and CVE-2016-7259) could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. The windows OS system including 2008,2008R2, 2012,2012R2 and 2016.

Another example alert by Microsoft that attackers are using a blend of in-memory malware, legitimate pen-testing tools and a compromised updater to attack banks and tech firms. Similar type of attack was happened on 2013 of several South Korean organizations via a malicious version of an installer from storage service SimDisk.

Below details of information can help you to developing more idea in regards of this matter.

The operating system can promote a driver’s StartType to be a boot start driver depending on the BootFlags value specified in the driver’s INF. You can specify one or more (ORed) of the following numeric values in the INF file, expressed as a hexadecimal value:

  • If a driver should be promoted to be a boot start driver on network boot, specify 0x1 (CM_SERVICE_NETWORK_BOOT_LOAD).
  • If a driver should be promoted on booting from a VHD, specify 0x2 (CM_SERVICE_VIRTUAL_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a USB disk, specify 0x4 (CM_SERVICE_USB_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting from SD storage, specify 0x8 (CM_SERVICE_SD_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a disk on a USB 3.0 controller, specify 0x10 (CM_SERVICE_USB3_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting with measured boot enabled, specify 0x20 (CM_SERVICE_MEASURED_BOOT_LOAD).
  • If a driver should be promoted while booting with verifier boot enabled, specify 0x40 (CM_SERVICE_VERIFIER_BOOT_LOAD).
  • If a driver should be promoted on WinPE boot, specify 0x80 (CM_SERVICE_WINPE_BOOT_LOAD).

Windows registry:  Turn on/off ASLR feature: (see below)

ASLR by setting HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages

Summary:

ASLR does not affect runtime performance. However it might slow down the initial loading of modules. But it is not in full capability to protect your windows OS system.

A reminder . Do not ignore unimportant item.

 

 

Common vulnerability on application – who’s the perpetrator – Part 1

Preface

We heard cyber security incident daily, seems like a habit forming or it will be happened daily. We wasn’t gutted ( Feeling sad and unhappy) since we have already become insensitive!

Who’s the perpetrator?

The design limitation not only found on hardware (BIOS), OS (system kernel , dynamic link library and software driver). Besides, the critical risk sometimes found on application program design.  Since mobile phone become the technology world main stream in the market because of BYOD enable concept.May be you observe this factor earlier. Both personal computer and BYOD device looks has common criteria (not the security standard common criteria). The fact is that they are heavy duty to deploy of Java application. From technical point of view, the difference in between personal computer and BYOD device application platform might have minor things. For instance application cannot display on small size display screen. Web browser compatibility issue. Perhaps those problem enough to annoys application developers. However in regards of application infrastructure both personal computer and BYOD devices are sharing the similar application source. And such a way carry out a visible securiy bottle neck on application design. Yes, we select one of the bottle neck on software application development to discuss today. It is the API key, so I dubbed API key is the perpetrator.

What is API key?

With reference to Wikipedia (see below details for reference)

An application programming interface key (API key) is a code passed in by computer programs calling an application programming interface (API) to identify the calling program, its developer, or its user to the Web site.

API keys can be based on the universally unique identifier (UUID) system to ensure they will be unique to each user. The API key often acts as both a unique identifier and a secret token for authentication, and will generally have a set of access rights on the API associated with it.

Appendix i :

API key = public unique identifier for your app.

Access token = another secret! But a new one is generated every time a new person installs your app. Each one is used for authentication of regular API calls to a particular shop.

API Key fundamental design weakness 

Kill chain – scenario A (Application program design weakness)

  • User gets infected with malicious program
  • Malicious program opens up /rest/config
  • Malicious program navigates to / and takes the CSRF token from the cookie it receives
  • Malicious program now has complete control over the REST POST interface

Kill chain – scenario B (system application software package (library) design weakness)

JSON Web Token (jwt) vulnerability includes the following authentication mechanism : node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512)

The original design of JSON Web Token structure contains 3 parts , a header, a payload, and a signature.  See below details for reference.

Prerequisite – require X509 Private/Public Key Pair to generate the digital signature.

The Base64-URL encoded representation of the Secure Header
The Base64-URL encoded representation of the Payload
The signature that is generated from the combined "payload.header"
Assembling all of these together as payload.header.signature

Below simple node.js code that uses the jsjws node module to create the JWS

var assert = require('assert');
var jsjws = require('jsjws');
var fs = require('fs');

var privKeyFile = fs.readFileSync('./dsig-key.pem');
console.log("privKeyFile: " + privKeyFile);
var priv_pem = jsjws.createPrivateKey(privKeyFile, 'changeit','utf8');
var pubCertFile = fs.readFileSync('./dsig-cert.pem');
console.log("pubKeyFile: " + pubCertFile);
var pub_pem = jsjws.X509.getPublicKeyFromCertPEM(pubCertFile.toString())

var header = { alg: 'RS256' };
console.log("Header: " + JSON.stringify(header));
var payload = { 'a':'b',
'c':'d',
'e': 1.0
};
console.log("Payload: " + JSON.stringify(payload));

var sig = new jsjws.JWS().generateJWSByKey(header, payload, priv_pem);
console.log("Signature: " + sig);
var jws = new jsjws.JWS();

assert(jws.verifyJWSByKey(sig, pub_pem, ['RS256']));
assert.deepEqual(jws.getParsedHeader(), header);
assert.equal(jws.getUnparsedPayload(), JSON.stringify(payload));

console.log("UnparsedHeader: " + jws.getUnparsedHeader());
console.log("UnparsedPayload: " + jws.getUnparsedPayload());

Found Critical vulnerabilities in JSON Web Token libraries (March 31, 2015)

A design limitation on library occurred, some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. This is so called “none” algorithm.

Therefore hacker can create their own “signed” tokens with whatever payload they want, allowing arbitrary account access on some systems.

Remediation & Mitigation

It looks that the vulnerability found on library has security remediation today. As we know the vulnerabilities in JSON Web Token libraries can settle by latest version of software libraries. But how about the application program design weakness item?  As far as I know. Even though you are going to manage your API Keys with Java, Jersey, and Stormpath. The common standard on API Key management in the market more relies on the following solution.

  1. Filter  (regular expression). As far as I know,  It requires the preventive control filtering function to avoid
  2. Define full scope of authentication mechanism (something you have,something you know and something you are)
  • Define authentication protocol
  • Based on the authentication result object do the integrity check
  • Check the token that received, and appropriately gives appropriate action (forbid or access).

Opinion

In regards of API key, authentication Token & XML language are hard to avoid the risks once they are working together. However it is hard to avoid in such operation manner in business world. But I would like to let this opportunities to urge software developer that JSON Web Tokens should be avoided in your application design.  If your design insists to adopt such methodology. You must re-confirm the data classification level in your local repository and business criteria. If both two domain subjects not in DCL 3,4 and not the critical business operation. May be it still a green light signal. If not it is better to find other alternative.

The other side of the story on cyber attack (Electronic war between countries)

 

Preface

We heard  that the new age transformation is coming.  As a result it transform the traditional military weapons to electronic codes. The computer  technologies such as DDOS (Distributed denial of services), malware and virus similar a killer. It can disrupt the financial activities,  daily network communication and health care services. An idea bring to our attention on world war II history was that classic military power result destroyed everything (mankind and properties).  But re-built the society and operation after war. It is a harsh and difficult mission! From technical point of view, the victorious might stand on ethics view point to assists defeated side to rebuild the business and economic system. As a matter of fact, the distruction level of war created by military weapon especially missile it is hard to evaluation. And this is the reason let’s cyber warfare appears in coming future! But it started already!

Analytic result on technical articles about cyber warfare

In regards to my study on technical article issued by CSS Eth Zurich (The Center for Security Studies (CSS) at ETH Zurich).The analytic result highlights serveral key factors of Cyber warfare . Cyber warfare was cheaper than traditional military force. It provides a  “cleaner” (with less or no bloodshed) suitation. No doubt that  less risky for an attacker than other forms of armed conflict. The analytic result  defines 5 different types of cyber conflict during their study. They are Cyber War, Cyber Terrorism, Cyber Espionage, internet crime and cyber vandalism.

The specific feature of cyber weapon (in between country to country)

I was sometimes confused with the headline news on prediction on cyber technology war.  The questions on my mind is that how electronic weapon or cyber weapon replacing traditional military facilities? Think it over, the appropriate technique might adopted target into the following criteria (see below):

The capabilities of cyber attack techniques ( A transformation of traditional military force)

Type Attack technology Functional feature – objective Target – Environment Remark:
Cyber Vandalism, Cyber War IOT & BOTNET (DDOS technique)

 

Services suspension – electronic communication services (IP-Telephony) Bank, Fund House , Stock Exchange
Cyber Espionage Malware Information gathering Bank, Fund House, Stock Exchange & government sector
Cyber War, Cyber Vandalism Ransomware Services suspension important facility fucntion nuclear facility , Airlines,TV broadcast station, Radio broadcast station & military facility Ransomware feature contained facility to supspend the computer services. Besides it capable listen to the instruction of C&C server. On the other hand, the attacker can resume the services once they win the battle.
Traditional military force Bomb Services Suspension on important facility function and destroy permanently nuclear facility, military facility, power station, airport & communiation facility (Digital phone system)
Internet Crime, Cyber war Email phishing and Scam email message Carry out  psychological warfare, implant malware activities in order to fulfill their objective nuclear facility, military facility, power station,

Let us dig out one of the attack technique to see how the cyber technology feature fulfill the goal of the cyber warfare features .

Do you think Ransomware is founded by military department?

The first ransomware appear in the world on 1989. A biologist Joseph L. Popp sent 20,000 infected diskettes labeled
“AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer.
To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama.

In 2006, former President George W. Bush was increasingly worried about Iranian efforts at enriching uranium, and ultimately, its hopes to build an atomic bomb. The goal of Stuxnet is going to destroy Iraq nuclear facilities driven by US government. The rumors were told Stuxnet malware destroyed roughly one-fifth of Iran’s centrifuges in 2009.

An unconfirmed  information stated that there is a separate operation called Nitro Zeus, which gave the US access into Iran’s air defense systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.

Speculation:

WannaCry infection using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol.  The U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. As we know nuclear power facilities control system OS platform relies on Microsoft OS system (see below articles). It may causes people think is there any secret action hide by NSA (National Security Agency). He aroused my interest in questioning who is the key figure to spread WannCry ransome? It looks that there is similarity with Stuxnet worm infection in 2009. Since we all fool by NSA at that time let your computer workstation transform to a cyber army then attack USA enemy.  Do you think wanncry is the rehearsal of test or pilot run?

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Below diagram is my imagination of the modern nuclear facility environment. The SCADA system pay a key role in nuclear power facility. Ransomeware have capabilities to suspend the services of this facilities. It doesn’t need to destroy anything but the services will be totally shut it down the services. We have seen the real example in UK health care services as a reference. I will stop written here. Should you have any queries, I will try my best to written more in future.

Supplement – The other side of the story on cyber attack (Electronic war between countries) – 13th June 2017

 

As said on above discussion topic, since it looks not interest to visitors on reflection of comments on feedback.  However there is something on my mind need to share.

North Korea President Kim’s intention show to the world of his governance power. He is in frequent to demonstrate his military power cause US government concerns his equalize of military power in the world. To be honest, it is hard to equal the military and economics power as of today. For instance China nearly become the 1st business economic leader. We all know United state is the leader in this moment. However their economic operation chain should have difficulties to do the 2nd round of transformation. Because some of their capital business and business economy contained made in China element.  Since North Korea on finance and business economy are weak. President Kim did such things seems not make sense. I did not visit North Korea however a lot of news on TV might speculate their current situation. I strongly believed that their nuclear facility might operation in 60’s fashion. The SCADA system not possibly supply by Siemens. But learn and develop a windows based SCADA system not difficult.  From information point of view, North Korea nuclear facilities might relies on window for Control Systems instead of Linux for control system.  And therefore Ransomware type attack can specifics shot the target. Meanwhile the business industry from North Korea all work with Microsoft OS  in daily life.

The infection status of wannacry was not issued by North Korea government.  But for sure that wannacry type infection can suspend North Korea business finance and industries operations.

Below are the hints how to eliminate the risks issued by  SCADA system vendor. Any interest?

Process control vendors require:
1. A system with a minimal attack surface, so that biweekly or monthly patches are not required
2. A consistent programming interface that will not change every four to five years, requiring a complete rewrite of their software
3. An environment that can be quickly and safely “locked down” to reduce the risk from hacking
4. A system with limited network access, only through specific ports to reduce the risk of network based attacks
5. Support for priority-based multi-tasking, preferably a real-time operating system (RTOS) that supports hard real-time requirements
6. A robust ecosystem of utilities and tools to make development, installation, debugging, and maintenance as easy as it is on consumer systems.

End of this topic

 

 

 

Who spying on me? Da Vinci or Archimedes?

Preface:

Archimedes’ principle is a law of physics fundamental to fluid mechanics.

Leonardo Da vinci  is widely considered one of the most diversely talented individuals ever to have lived.

Since they are the famous scientists. They dedicate their inventions to the world. But we known the infamous tools in cyber world for the government surveillance program. The most famous eavesdropping feature type of malware. Those surveillance tools make use of similar naming convention. From general point of view, it looks that it is not respect of these two great scientists!

About  Da vinci  Spy tools

A powerful spy software developed by Italian hack team, the tool benefits to track a person’s calls and other communications in real-time.  This tools only sell to law enforcement or government agent. Italian Hacking Team was hacked by other hacker group on 2015. More than 400GB of data, including source code, internal documents and emails that could reveal the identity of customers display on embedded torrent file share link. A rumors were told that Italian hack team blamed their customer unethical collect their technology and hack them.

About Archimedes tool

We all known tool used by the CIA named “Archimedes”  open to the world through WikiLeaks on 5th May 2017. Archimedes developed by CIA engineering development Group. The project code so called UMBRAGE project.  It is a interested project code name. The definition of Umbrage means offense; annoyance; displeasure: to feel umbrage at a social snub; to give umbrage to someone; to take umbrage at someone’s rudeness.

Technology

 Da vinci  Spy tool

Da vinci spy tool relies on JAR (Java ARchive) , Microsoft Office and Adobe Flash Player design limitation as a infection media to fulfill their remote control system (RCS) criteria (see below). A more advance technique of tool easy to fool the cyber defense mechanism since this is a unknown attack (zero day) and therefore it will be more easily to spread out the spyware fulfill their objective.

1. Self-signed JAR
2. CVE-2012-4167: Integer overflow in Adobe Flash Player
3. CVE-2010-3333: Stack-based buffer overflow in Microsoft Office
4. CVE-2012-5054: Integer overflow in the copyRawDataTo method in the Matrix3D class in Adobe Flash Player
5. CVE-2012-1682: Unspecified vulnerability in the Java Runtime Environment (JRE)
6. CVE-2013-0633: Buffer overflow in Adobe Flash Player

Archimedes

Archimedes is an update to Fulcrum 0.6.1. The design objective of Fulcrum. Fulcrum will direct a target machine’s HTTP client traffic to the URL of the attacker’s choice. The technique involves ARP Spoofing to Get In the Middle and HTTP Traffic Injection. The simple conceptual idea shown in below picture.

Archimedes (Fulcrum 0.6.2) focus windows OS with high flexibility. The attacker can execute Fulcrum as an EXE with Compiled Parameters. In order to avoid anti-virus program protection .The remote attacker can run as DLL with rundll32.exe with CommandLine Parameters. The tool itself is not sophisticated. Attacker can easy to get rid following files (f32.exe,f32.dll,fs32.exe,fs32.dll,f.cfg and f.log). The normal computer user do not know what is happen.

Capability and Flexibility

Da vinci  Spy tool:

Capability: small footprint,  unknown vulnerability (zero day)

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor

Archimedes :

Capability: small footprint,  similar normal application program service daemon

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor

Similarity

Both spy tools (Da vinci  &  Archimedes (Fulcrum 0.6.2))are using inline hooking technique (see below).

However Archimedes (Fulcrum 0.6.2) looks develop infiltration technique from layer 2. For instance ARP cache poisoning.  Both spy tools entry point (infiltration) looks have differences! Da vinci more focus on layer 7 (application) and Archimedes run on layer 2. Seems it is hard to proof the integrity of the rumors (Italian hack team blamed their customer unethical collect their technology and hack them). But it is not the absolute answer. Let’s keep our eye open on wiki-leaks to know more!

 

Reference:

https://wikileaks.org/vault7/#Archimedes

 

Conduct self assessment enhance your cyber security setup

Preface:

Although your in house IT setup has SIEM, IDS, IPS, ..etc. But you may have questions? What is the defense criteria. Yes, we fully understand that install full scope of defense mechanism might mitigate the risk, right? Implement the IT strategic outsourcing.  Enforce the follow the Sun policy. Deploy the management security service.  But think it over, those defense mechanisms are involve human operation.  Perhaps the SLA agreement of your services provider promises 99.99 % response time. But cyber security incident handling method far away with normal IT operation framework. For instance, engage the forensic investigation sometimes consume time to isolate the problem. As a matter of fact, SLA looks like a value. The quicker you receive email reply or return phone call did not imply it boots up the value of cyber incident management.

Objective:

Now we look back the cyber incident history. The security experts and security analysis Guru are summarized the key factors of the weakness of IT infrastructure today. No matter how was the size of your firm. Below key elements can guide you to the appropriate approach.

Weaknesses of IT domain – Key elements

  1. Unauthenticated protocols
  2. Outdated hardware
  3. Weak user authentication
  4. Weak file integrity checks
  5. Vulnerable Windows operating systems
  6. Undocumented third-party relationships

If your firm is able to compliance above 6 items of key elements. I was say congratulation to you. But for the realistic point of view, I believed that it is not easy to archive. For instance, you application development team is going to enhance the application. However the application integrate with a legacy product. Furthermore the legacy product is retired of their product life cycle. You know what is the weakness and the vulnerabilities. As a matter of fact, it is not possible to inform your management team suspend the project process since this is a business objective. Similar fashion of  scenario you might encountered or familiar.  Any idea or resolution to resolve such business habit forming manner. Since all the final decision will be decide by CSO, CIO or coporate management team. But at least following hints can give more space to you for thinking of this subject matter.

Definition:

Use a security controls matrix to justify controls and identify the weakness of the specifics area. The design goal is that take the benefit of matrix table for simplification terms. Thus provide a straight forward path which can apply to the key objective area. Since we all tech guy and no need to mention in depth. For more details, please see below:

Base on the 6 key elements of weakness in overall IT Infrastructure. Below assessment tool can provides an overall idea to you which area of weakness encountered in your shop.

 

authenticated protocols Availability SSL or VPN (Ipsec) Change control policy
Router (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Switch (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Firewall (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Managed security service (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Cloud Farm (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)
Outdated Hardware Still operate In-House hardware lifecycle policy
Router (OS obsoleted) Yes(0)/No(1) Yes(1)/No(0)
Switch (OS obsoleted) Yes(0)/No(1) Yes(1)/No(0)
Firewall (OS obsoleted) Yes(0)/No(1) Yes(1)/No(0)
Sever (Vendor support – End of Life) Yes(0)/No(1) Yes(1)/No(0)
PABX (CTI server) Yes(0)/No(1) Yes(1)/No(0)
Total score Full score (5) Full score (5)
user authentication ID asset management Single sign-on feature
Router Logon access Yes(1)/No(0) Yes(0)/No(1)
Switch Logon access Yes(1)/No(0) Yes(0)/No(1)
Firewall Logon access Yes(1)/No(0) Yes(0)/No(1)
Privileges ID Yes(1)/No(0) Yes(0)/No(1)
Application program service ID Yes(1)/No(0) Yes(0)/No(1)
Total score Full score (5) Full Score (5)
File integrity check Top Secret / Confidential Data Data classification Policy
Server Yes(1)/No(0) Yes(1)/No(0)
Web Application (External) Yes(1)/No(0) Yes(1)/No(0)
Web Application (Internal) Yes(1)/No(0) Yes(1)/No(0)
Database (DB) Yes(1)/No(0) Yes(1)/No(0)
Cloud farm Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)
Vulnerability management Zero day & critical patch Incident management procedure
Router Yes(1)/No(0) Yes(1)/No(0)
Switch Yes(1)/No(0) Yes(1)/No(0)
Firewall Yes(1)/No(0) Yes(1)/No(0)
Server Yes(1)/No(0) Yes(1)/No(0)
Application Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)
3rd Party relationship Responsibilities (scope of works and support level of cyber security incident) Dedicated subject matter expert implement in this role
Management security services Yes(1)/No(0) Yes(1)/No(0)
Web Hosting Yes(1)/No(0) Yes(1)/No(0)
Application (Vendor service support token) Yes(1)/No(0) Yes(1)/No(0)
Hardware maintenance (services provider) Yes(1)/No(0) Yes(1)/No(0)
Network (MPLS, Frame-link, Internet line, Boardband..etc) Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)

Achievement:

What is your over performance score on above matrix table?  If it is not suitable to your environment. No problem, please go ahead to modify the criteria and try to fit to your project scope. Even though external auditor engage the risk assessment they are using the same idea.  Good luck to all of you!

 

 

 

 

 

The silent of the Flash, Be aware of RTMFP protocol! He can exacerbate network attacks.

 

 

Flash Player has a wide user base, and is a common format for games, animations, and graphical user interfaces (GUIs) embedded in web pages. However the trend of HTML 5  is going to replace his duty on market. Google stop running Flash display advertisement on Jan 2017.  The e-newspaper (Digital journal) foreseen that the Adobe’s Flash expected to be dead and gone by 2018. However, the software vendor Adobe release Flash Player 25 on Mar 2017. Before the discussion starts, ,  lets go through the current market status of Flash player.  Below picture show the current market position of Flash. It looks that a significant drop of the market share today.

Market position 2017

A question you may ask? If the market share of the product dropped, it is not necessary to discuss a low popularity product.  But my concerns on Adobe Flash application still valid. The fact is that even though you are not going to use. However Flash Player installed on your machine have inherent risk.  Ok, make it simple. Let jump to our main topic now. It is the real-time media flow protocol from Adobe.

What is the Real-Time Media Flow Protocol (RTMFP)?

The Real-Time Media Flow Protocol (RTMFP) is a communication protocol from Adobe that enables direct end user to end user peering communication between multiple instances of the Adobe® Flash® Player client and applications built using the Adobe AIR® framework for the delivery of rich, live, real-time communication.

The evolution of Adobe system design

The IETF technical articles issued on Dec 2014 has following security consideration.

Cryptographic aspects of RTMFP architecture:
RTMFP architecture does not define or use a Public Key Infrastructure (PKI). Clients should use static Diffie-Hellman keys in their certificates. Clients MUST create a new certificate with a distinct fingerprint for each new NetConnection. These constraints make client identities ephemeral but unable to be forged. A man-in-the-middle cannot successfully interpose itself in a connection to a target client addressed by its fingerprint/peer ID if the target client uses a static Diffie-Hellman public key.

Servers can have long-lived RTMFP instances, so they SHOULD use
ephemeral Diffie-Hellman public keys for forward secrecy. This
allows server peer IDs to be forged; however, clients do not connect
to servers by peer ID, so this is irrelevant.

For more details on above matter, please visit IETF techincal articles https://tools.ietf.org/html/rfc7425#page-46

Our observation today

  1. Since RTMFP is based on UDP. UDP (User Datagram Protocol) connectionless state which decreased latency and overhead, and greater tolerance for dropped or missing packets. RTMFP supporting groups in Flash player support multicast feature. If hacker counterfeit a malicious swf format file and deploy with spear phishing hacking technique. Since it is a multicast structure and therefore it is hard to located the original source file.

2. CVE-2017-2997 exploits vulnerability in the Primetime TVSDK that supports customizing ad information. Successful exploitation could lead to arbitrary code execution. However a design weakness looks appear on TVSDK , an out-of-bound read vulnerability found by FireEye on May 2016.

3. Besides, The AVM (Action script virtual machine) implements certain core features of ActionScript, including garbage collection and exceptions, and also acts as a bridge between your code and Flash Player. The use-after-free memory feature in AVM is protect by  OS system. Even though implement Address space layout randomization (ASLR)  and Data Execution Prevention (DEP) but still have way by-pass by attacker. Windows 8.1 Update 3 Microsoft introduced a new exploit mitigation technology called Control Flow Guard (CFG). CFG injects a check before every indirect call in the code in order to verify if the destination address of that call is one of the locations identified as “safe” at compile time. However overwrite Guard CF Check Function Pointer with the address of a ret instruction will
let any address pass Guard CF Check Function, and thus bypass CFG.

Overall comments on above 3 items:

It looks that Flash contained fundamental design limitation, may be there are more hidden risks does not discover yet. As far as I know, law enforcement agency relies on Flash vulnerabilities to implement the surveillance program (Reference to vulnerability on 2012). My suggestion is that it is better uninstall the Flash on your web browser especially enterprise firm IT operation environment. Since Information security is a continuous program, so stay tuned,  update will be coming soon!

Flash Architecture

Remark: out-of-bounds definition – This typically occurs when the pointer or its index is incremented or decremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in corruption of sensitive information, a crash, or code execution among other things.

Application platform  – Language C and C++

The chronology of attack

2012: The malicious documents contain an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it. Symantec detects this payload as Trojan.Pasam. The malicious files we have observed so far are contacting servers hosted in China, Korea, and the United States to acquire the necessary data to complete the exploitation. This attack is targeting Adobe Flash Player on Internet Explorer for Windows only.

2015: SWF file is used to inject an invisible, malicious iFrame

2017: (CVE-2017-2997, CVE-2017-2998,CVE-2017-2999,CVE-2017-3000,CVE-2017-3001,CVE-2017-3002 & CVE-2017-3003)

A buffer overflow vulnerability that could lead to code execution (CVE-2017-2997).
Memory corruption vulnerabilities that could lead to code execution (CVE-2017-2998, CVE-2017-2999).
Random number generator vulnerability used for constant blinding that could lead to information disclosure (CVE-2017-3000).
unpatch vulnerabilities lead to code execution (CVE-2017-3001, CVE-2017-3002, CVE-2017-3003)

 


 

 

 

 

Part 2:Blockchain technology situation – Malware join to bitcoin mining

A moment of silence, prayer for the dead (Terrorist attack on the streets attack near U.K. Parliament 22nd Mar 2017)

A moment of silence, prayer for the dead 
Tragedy in Russia - Explosion in the St. Petersburg metro 3rd Apr 2017

Part 2: Blockchain technology situation – Malware join to bitcoin mining

We continuous the discussion topic on blockchain technology situation.  Part 1:Blockchain technology situation – A Tales of Two Cities The discussion on part 2 mainly focus on malware threats to bitcoin industry.  We understand that Bitcoin was designed to be uncensorable digital cash that could operate outside the existing financial system. As mentioned last time, it looks that the blockchain technology contained weakness on end point device (bitcoin owner workstation or mobile phone). Even though you deploy a proprietary wallet, the overall setup will become weakness once malware compromise your end point device. Below picture diagram bring an idea to reader of bitcoin wallet architecture, see whether you have different idea in this regard?

Bitfinex incident wakes up concern on endpoint security

More than US$60m worth of bitcoin was stolen from one of the world’s largest digital currency exchanges (Bitfinex) on 2nd Aug 2017. Nearly 120,000 units of digital currency bitcoin worth about US$72 million was stolen from the exchange platform Bitfinex in Hong Kong, said Reuters Technology News. Director of Community & Product Development for Bitfinex stated that the bitcoin was stolen from users’ segregated wallets. The investigation has found no evidence of a breach to any BitGo servers, said the representative of BitGo.

Since no evidence proof that security breach happened in that place but what is the possible cause?

An announcement posted by official group (Bitfinex), the company informed that there are going to secure the environment and bring down the web site and the maintenance page will be left up. From technical point of view, if  API and signing keys reside on servers. Hacker might have access with legitemate credential once a bitcoin wallet user workstation compromised.As a matter of fact if the webservice is hacked, bitcoin owner will lost the money (see above bitcoin wallet architecture comparison diagram for reference).

Our Observation

The weakness of Node.J.S trading API Framework.

The java script contain security weakness. It benefits hacker to understand the operation path. For instance

Client send his payload, his key, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac. (see below program syntax for reference).

 

From technical point of view, malware which contains steal private key or digital certificate function, they have capability transform to bitcoin malware. As usual, the infection technique relies on Spear phishing. The emails contained a malicious attachment with the file which contained a zero-day exploit. The exploit attacked multimedia software platform used for production of animations especially Adobe Flash to install a malware onto the victim’s computer.

Then malware obtained bitfinex private key and one of the following item.

i) bitgo’s private key

ii) bitfinex bitgo’s username and password and authy’s credentials (that allows the hacker to create new api access tokens and remove daily limits)

iii) bitfinex bitgo’s api access token

Or apply new keys gave to bitgo as new 2-3 internal bitfinex address. signed tx with bfx key, and “new key” that was just given. Meanwhile bypassing bitgo’s security checks.

Summary:

Above information detail is one of the example. It looks that quote a real incident can increase the visibility of the understanding.  Apart from that, discussion looks never ending. I believed that part 3 will be coming soon.