Category Archives: System

Do you think 64 bit OS can secure critical facilities in your country?

Few years ago, heard that 64 bit version of windows is more secure. Expert was told, 64-bit operating systems aren’t immune to malware but security features are stronger.

Address Space Layout Randomization – incorrect guess may result in the program crashing

Mandatory Driver Signing – prevents unsigned drivers provided by malware from running on the system

Kernel Patch Protection – prevents device drivers from patching the kernel

Data Execution Protection – DEP allows an operating system to mark certain areas of memory as “non-executable

It looks that above 4 items of feature capable to protect the OS system infected by malware. Recall cyber incident history, 1st version of the Stuxnet computer virus that was used to attack Iran’s nuclear program in November 2007, being developed as early as 2005, when Iran was still setting up its uranium enrichment facility. SCADA system compatible with windows 32 bit and 64 bit OS. SCADA manufacturer strongly recommend to use 64 Bit operating systems. The 32 Bit operating systems may be used for compatibility reasons within already existing configurations. Seems we can figure out hints of malware weakness. And speculate that Stuxnet virus infect the SCADA system are run on top of windows 32 bit operating system (OS) instead of 64 bits.

Descendant Of The Malware – embedded new DLL injection technique (reflective DLL injection)

A more sophisticated of DLL injection method, so called reflective DLL injection. It loads code without calling the normal Windows API calls, potentially bypassing DLL load monitoring. Conceptual diagram shown as below:

Above reflective loader function will find the following target:

  • Process Environment Block (PEB) of the target process
  • suitable CPU register
  • the address in memory of kernel32.dll
  • and other required libraries

Next step: Find the memory addresses of required API functions such as LoadLibraryA, GetProcAddress, and VirtualAlloc. Relies on these API functions to load the DLL (malware) into memory and call its DllMain entry point.

Remark: What is DllMain Entry point – An optional entry point into a dynamic-link library (DLL). When the system starts or terminates a process or thread, it calls the entry-point function for each loaded DLL using the first thread of the process. The system also calls the entry-point function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions.

In the DllMain function, you can perform only a very limited set of actions. The thing is that some DLL may be not loaded yet, and you cannot call functions from them.

Does it mean that the 64-bit operating systems not easy to implant malware?

All applications except malware would use the standard main memory. The copy (shadow memory) is designed to be used by malware. Shell code might have difficulties to pass though parameters on shadow memory space. The fact is that there are differences between x86 and x64 operating system. The 64-bit addressing capability and a flat set of 16 64-bit registers for general use. If that “shadow space” on the stack was not allocated by the caller, the function may not work as expected.

Remark: In 64 bit OS environment, the allocates pages in the shadow region on demand. That is only when page contains tag information. As every byte of tracked program data need four more bytes for its tag, part of the physical memory footprint of a process increase by a factor of four.

Speculation:

Believe that nuclear power facility still have 32 bit SCADA application in operation. But no harm to keep, the fact is that even though you upgrade to 64 bit OS. It is hard to guarantee you can avoid malware silently implant to your environment.

Below url is the malware attack nuclear power facilities historical information for your reference.

https://www.google.com.hk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwj72tfKnN_QAhVIGpQKHTdgBywQFggaMAA&url=http%3A%2F%2Fwww.antihackingonline.com%2Fnetwork-protocol-topology-standard%2Fmalware-vs-nuclear-power-do-you-think-scada-system-is-the-culprit-of-attack-on-nuclear-power-system%2F&usg=AFQjCNGDNhe7wFJgFQSDK7V3QDnWqiB99A

 

Dark side of the computer memory

 

The subject matter looks bring mystery feel to reader? People who like to pop music might heard a famous song by Pink Floyd. Yes, it is Dark side of the moon. Rumors told that dark side of the earth (Moon) have another civilization living there? Is it true?

In computer world, memory leaks issues happened not a new topics. Hacker relies on this error can implant malware. The Google Chrome browser found a memory leak issue on Nov 2014. User found that some elements of the DOM (Document Object Model), or handlers, are not being released properly. Below 3 items of memory leak criteria can bring an idea to you what is the definition of memory leak.

  1. Applications stay in memory when not in use
  2. System run–time is expected to be unlimited
  3. Systems typically have lower total available system memory

Hottest target lure the hackers

Svchost.exe is the important process of your Windows 7/8/8.1/10 operating system that contains the group of individual services. Windows uses these services for the various system functions. There can be multiple svchost.exe instances, and one instance may include several services. In most cases the Svchost.exe (netsvcs) encounter high CPU and high usage problem. This symptom might infected by a virus or a malware program.

How malware do this job?

Malware relies on system process design limitation, creates another section in its own address space and copies the svchost.exe content into the created section and then patches the svchost.exe. For more detail, please see below:

So called Process Hollowing

  1. Malware starts the svchost.exe process in suspended mode which gets loaded into the address.
  2. Malware determines the base address of the legitimate process by reading PEB+8 (PEB.ImageBaseAddress) and then deallocates the executable section of the legitimate process. Afterwards allocates the memory in the legitimate process with read, write and execute permission at a different address.
  3. Copy and inject executable to allocate memory address.
  4. Malware then overwrites the PEB.ImageBaseAdress of the legitimate process with the newly allocated address.
  5. Changes the start address of the suspended thread to the address of entry point of the injected executable by setting CONTEXT._Eax and using SetThreadContext api and resumes the thread.

Conclusion:

Above scenario is one of the example of memory leak vulnerability. If you are interested of this issue. It is not difficult to find out by yourself!

 

2016 Supercomputer magazine

2016 Supercomputer magazine

Traditionally, supercomputers have been used for scientific and engineering applications that must handle very large databases or do a great amount of computation (or both). Supercomputer have capability to handles multi task and graphics processes. Bear in our mind that computer brand name likes Cray, IBM and Fujitsu are the top of the range computer products. The mainframe system so called supercomputer because of their system architecture and handling power. Their CPU units, memories and I/O are controlled by crossbars. To measure their system performance will be measured in a technical term so called Floating point (FLOPS). It is an important specification of a computer system, especially for applications that involve intensive mathematical calculations.

Non traditional design vs traditional concept

Do you remember the Parallel Capacity Resource (PCR) clusters? The mature technology found in 2002. The success of the PCR clusters was followed by the purchase of the Multiprogrammatic Capability Resource (MCR) cluster in July, 2002 from Linux NetworX. The PCR cluster debuted as the Top 500 Supercomputers list in November, 2002.

Parallel Capacity Resource (PCR) cluster architecture create the mystery power!

The differences between China supercomputer and traditional mainframe supercomputer.

I speculated that China supercomputer architecture established by Parallel Capacity Resources Cluster concept for system development. Some technical details as finger print to proof of concept. Detail is shown as below:

1. Sunway TaihuLight, with 10,649,600 computing cores comprising 40,960 nodes.

2. System OS not mentioned on technical report, however I believed that the OS kernel development on top of System V (Unix/Linux).

2016 Supercomputer magazine

Top 1 -10 Winners

Model Location Total cores Rmax (Tflops/s) Rpeak (Tflops/s) Memory
1 Sunway TaihuLight China (Wuxi) 10649600 93014.6 135435.9 1310720 GB
2 Tianhe-2 China (Guangzhou) 3120000 33862.7 54902.4 1024000 GB
3 Titan Tennessee USA 560640 17590 27112.5 710144 GB
4 Sequoia Livermore CA 1572864 17173.2 20132.7 1572864 GB
5 Cori Berkeley CA 622336 14014.7 27880.7 878592 GB
6 Oakforest-PACS Kashiwa Japan 556104 13554.6 24913.5 919296 GB
7 K computer Kobe Japan 705024 10510 11280.4 1410048 GB
8 Piz Daint Swiss Lugano 206720 9779 15988 194560 GB
9 Mira – BlueGene Lemont IL USA 786432 8586.6 10066.3 unknown
10 Trinity New Mexico 301056 8100.9 11078.9 unknown

 

Top 1 – 10 Supercomputers geographic location

11 – 20 winners

Model Location Total cores Rmax (Tflops/s) Rpeak (Tflops/s) Memory
11 Cray XC40 UK 241920 6765.2 8128.5 430080 GB
12 Marconi Italy (Bologna) 241920 6765.2 8128.5 430080 GB
13 Pieiades Mountain View USA 241108 5951.6 7107.1 917344 GB
14 Hazel Hen Germany Stuttgart 185088 5640.2 7403.5 unknown
15 Shaheen II Saudi Arabia 196608 5537 7235.2 unknown
16 Pangea France 220800 5283.1 6712.3 54000 GB
17 Stampede USA Texas 462462 5168.1 8520.1 192192 GB
18 Theta Argonne-USA 207360 5095.8 8626.2 207360 GB
19 JUQUEEN Juelich Germany 207360 5095.8 8626.2 207360 GB
20 Cheyenne Boulder USA 144900 4788.2 5332.3 202752 GB

 

11 – 20 Supercomputers geographic location

Can we say, hackers and malware do not have capability attacks supercomputer?

The electronic world nowadays popular ARM processor architecture. An ARM processor is one of a family of CPUs based on the RISC. ARM processors are extensively used in consumer electronic devices such as smartphones, tablets, multimedia players and other mobile devices. Supercomputer would not use low cost ARM processor. Traditional supercomputer framework build up by an array of mainframe computers. Mainframe computer CPUs especially IBM S390 CPU make use of crossbar architecture. Since mainframe CPU memory structure not disclose to public. Even though the LPAR running Window server or Linux OS, malware no idea how to jump into the kernel memory whereby it is hard to compromise the whole system. No matter how excellent performance of PCR (parallel capacity resource) cluster built by modern server, an solid concern is bring to our consideration. For instance, model Intel i686 CPU or Xeon server group PCR cluster security bottle neck happens on Core OS (Linux, Unix system V, custom build system-V(vmware))! The fact is that Intel CPU memory address cookbook you can find on market. In the sense that even though PCR cluster build by modern server provides great speed performance (floating point) but the overall security is part of the concern! To be honest, the highest floating point (Tflops) looks like a reference parameter in my personal view point. It looks that such parameter does not reflect the actual reality of usage.

 

CVE-2016-7255 – Google Chrome is the Instigator

IT world encounters Storm in a tea cup from weekly. Heard that Microsoft blame Google mistaken on their web browser (chrome) design mistake causes vulnerability occurs (CVE-2016-7255). On hand information described that hacker would like to find back door in web browser (Google chrome), they found a privileges escalation at the end. It looks that similar vulnerability caused by web browser will be happened in future. The vulnerable service daemon is the win32K.sys this round!

What is win32K.sys – It is a multi user win 32 driver file.

It looks that win32K.sys has design limitation, a page_fault_in_nonpaged_area discovered in 2009. But what is page fault in non page area? The symptom is that application asked for a page of memory in order to continue, and the page was not available then crash.

Suspected that why google chrome is the instigator

When Chrome attempts to access critical data from memory that was supposed to be stored in the Non-Paged area, but cannot find it. Because this area of memory is reserved for the Windows core.

Below windows OS register keys relate to CVE-2016-7255

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Exp.CVE-2016-7255

    HKEY_LOCAL_MACHINE\SOFTWARE\

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ’1′

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “3948550101?

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “xas
    
    HKEY_CURRENT_USER\Software\Exp.CVE-2016-7255

Comment:

CVE-2016-7255 hit design limitation and causes local privilege escalation. Patch is available. But my comments this time is wait for next round of announcement by Microsoft. What’s the reason? …….!!!!!

Is Single Sign on a Security Risk?

Is Single Sign on a Security Risk?

The majority of computer operators and people alike maintained one user ID and password. The single sign on facility fulfill their operation requirements. From security point of view, there are inherent risks for company deploys single sign-on function on their network infrastructure.

Single sign on infrastructure

Let take a closer look of single-sign on

Benefits:

  1. No need to remember many user IDs and passwords
  2. Simplified operation procedure
  3. Improves the effectiveness/timeliness of disabling all network/computer accounts for terminated users.
  4. Reduces the time taken by users to log into multiple applications and platforms

 

Single-sign on drawback

  1. Same password on all your various web services, it is also dangerous to let one username/password combination unlock all the resources.
  2. Single high-value target (attracts more attackers)
  3. Side channel attack against authentication step
  4. never know how secure your system is or if there is a breach

Single sign on increase the difficulties of application protection

SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security.  There are more techniques to attacks single sign-on application today. For more details, please see below:

  1. Single Sign-On phishing
  2. SSO profile was vulnerable to a Man-in-the-middle attack
  3. Replay Attacks
  4. XML Signature Wrapping vulnerability in SAML protocol

Security Concerns:

GIAC as a pioneer point out single sign on security concerns on their global information assurance certification paper. The article bring an idea to the world that each operating system and application has it own set of security requirement for both user user ID and password. In the sense that SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security.  Since enterprise firm need compliance, fulfill audit requirements. Please be noted that compliance may not equal security. Let’s think it over, one single password that could access all key applications. Does it on a security risk?

Dangerous version of the Dridex banking malware

 

Do you think Banks likely to remain top cyber crime targets. Looks back on 2016 the attackers using different methods which contain malicious attachments being sent to multiple banks. The most famous incident is US$81M Bangladesh Bank Heist on May 2016. We all known as a script kiddie is hard to create such storm. IT Dept especially financial institution they spend their man power and affords on end user computing area. Even though mobile phone, mobile computing devices and workstation are under IT governance.

Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Earlier this year Symantec alerts the world that new malware is going to harvest the banking credentials of victims. And claimed that Dridex is now one of the most dangerous pieces of financial malware in the world.

Why does Dridex so dangerous?

As we know, tradition of malware operation relies on dropper file. A dropper is a program (malware component) that has been designed to “install” some sort of malware (virus, backdoor, etc.) to a target system. The earlier generation of dropper file package EXE file extension. As times go by anti-virus vendor has solutions quarantine malicious file. Whatever you receive on workstation anti-virus will isolate the file in sandbox for sterilization. The efficient way to identify malware do a comparison on malicious file checksum value. That is win or lost all depends on information of records (hash value) from antivirus vendor database.

Since the design goal of Dridex targets banking industry. The malware designer fully understand banking environment operation structure. The marco excel programming have large coverage of usage in banking environment. For instance FX (foreign exchange), Finanical, Dealing room, Trade financial…etc. Even though Bloomberg financial services, they have available solution collect the financial news data by microsoft DDE (dynamic data exchange) feature. Since DDE part of Excel spreadsheet function. See how critical of MS office application in banking operations.

Malware (Dridex) design enjoy the benefits of Microsoft marco language. The marco language like a auto robot assemble the malware body. The 1st phase of attack similar to classic email phishing technique which MS word document embedded (see above picture diagram point 1 – 6). The assemble of malware body incomplete and therefore may not trigger malware detector alarm. Dridex contains self replication feature driven by MS dot net mechanism on 2nd phase of process (see above picture diagram point 7 – 9). A dynamic link library will be assembled in the final phase (phase 3) of the process (see above picture diagram point 9 -11).

Malware detector can properly deny the growth of Dridex

Since classic UTM firewall and antivirus program might have function limitation against this type of malware. There are plenty of anti-malware products in the market have capabilities to reduce such malware infection storm. Friendly speaking, all depends right solution and right direction. No absolute definition. Below Yara rule can provide an idea to you in this regard.

rule Dridex_trojan_XML {
   meta:
      description = "Dridex Malware in XML Document"
      author = "    "
      date = "2016/09/09"
      hash1 = "666b2121cfb7871cd1354b08d51a36e4"
   strings:
      // can be ascii or wide formatted - therefore no restriction
      $c_xml      = "<?xml version="
      $C_word     = "<?mso-application progid=\"Word.Document\"?>"
      $C_macro    = "w:macrosPresent=\"yes\""
      $C_binary   = "<w:binData w:name="
      $C_0_chars  = "<o:Characters>0</o:Characters>"
      $c_1_line   = "<o:Lines>1</o:Lines>"
   condition:
      all of ($c*)
}

Malicious files contained Dridex footprint (assembly)

Recorded file names:

  • Dridex Malware.bin
  • 7f6c27356f9809eb7f1e7372dc1556ed76c43c47.doc
  • 2209_0C8D8115C2D2.doc
  • 34A7_FBD7E2BFD4.doc

Malicious site – Analysis date: 2016-10-25

URL: http://50.63.174.16/ (valid till now)

Comment:

Odinaff Malware – New enemy of SWIFT

SWIFT a global provider of secure financial messaging services. He is the big brother in the financial world which facilitates 24-hour secure international exchange of payment instructions between banks, central banks multinational corporations, and major securities firms. He meet his enemy in 21st century, everybody knew it is block chain technology, simple to say it is bit coins, right? However his enemy not limit to block chain technology, noticed that a new born malware was attacks swift member network last month (Oct 2016). The nick name is odinaff.

Technical specification:

malware checksum SHA256: fbede281f54108136a6c73fec7d45386a803793b2a92964ec5355babe6127eec
File name: odinaff_payload.exe [12.0 KB ( 12288 bytes )]

Oh! The payload only 12kb. Security guru you must pay extra attention. My personal comment is that this is a advance type malware, since 30 antivirus vendor can detect this payload. The malware authors will make minor changes or repackage their malware every few days to thwart detection via MD5 checksum or antivirus, and in some cases the malware is repackaged daily. Therefore, often times new samples may not be detected. To be honest, only 12Kb it is easy to repackage.

For correct detect this malware on your malware detector, below details is the pattern for your reference.

Reference: Yara rule

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

*/

import "pe"

rule Odinaff_swift : malware odinaff swift raw{
        meta:
                author = "_____"
                date = "2016/10/27"
                description = "Odinaff malware"
                reference = "https://www.symantec.com/security_response/writeup.jsp?docid=2016-083006-4847-99"
                filetype = "binary"

        strings:

                $s1 = "getapula.pdb"
                $i1 = "wtsapi32.dll"
                $i2 = "cmpbk32.dll"
                $i3 = "PostMessageA"
                $i4 = "PeekMessageW"
                $i5 = "DispatchMessageW"
                $i6 = "WTSEnumerateSessionsA"

        condition:
                ($s1 or pe.exports("Tyman32")) and (2 of ($i*))
}

 

News update on SWIFT:

It looks that SWIFT top management aware the criticality of risk.  To ensure adoption, SWIFT will start requiring customers to provide detailed self-attestation against the mandatory controls from Q2 2017

Begin Enforcing Mandatory Security Controls

1. Restrict Internet Access and Segregate Critical Systems from General IT Environment
1.1 SWIFT Environment Segregation A segregated secure zone safeguards the local SWIFT infrastructure from compromises and attacks from the broader enterprise and external environment.

1.2 Operating System Privileged Account Control

Access to local operating system accounts with system-level administrative rights is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, the accounts are restricted from being accessed.

2. Reduce Attack Surface and Vulnerabilities

2.1 Internal Data Flow Security
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT data flows within the secure zone, and its link to the user PCs.

2.2 Security Updates All hardware and software inside the secure zone and on user PCs are within the support lifecycle of the vendor, have been upgraded with mandatory software updates, and have had security updates promptly applied.
2.3 System Hardening Security hardening is conducted on all systems and infrastructure within the secure zone and on user PCs.

3. Physically Secure the Environment
3.1 Physical Security Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage.

4. Prevent Compromise of Credentials
4.1 Password Policy All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts.
4.2 Multi-factor Authentication Multi-factor authentication is used for interactive user access to SWIFT-related applications and operating system accounts.

5. Manage Identities and Segregate Privileges
5.1 User Account Management Accounts are defined according to the security principles of need-to-know access, least privilege, and segregation of duties.
5.2 Token Management Authentication tokens are managed appropriately during issuance, revocation, use, and storage.

6. Detect Anomalous Activity to Systems or Transaction Records
6.1 Malware Protection Anti-malware software from a reputable vendor is installed and kept up-to-date on all systems.
6.2 Software Integrity A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related applications.

6.3 Database Integrity
A database integrity check is performed at regular intervals on databases that record SWIFT transactions.
6.4 Logging and Monitoring Capabilities to detect anomalous activity are implemented, and a process or tool is in place to frequently store and review logs.

7. Plan for Incident Response and Information Sharing
7.1 Cyber Incident Response Planning The organisation has a defined cyber incident response plan.
7.2 Security Training and Awareness Annual security awareness sessions are conducted for all staff members, including role-specific training for SWIFT roles with privileged access.
Advisory Security Controls
2. Reduce Attack Surface and Vulnerabilities
2.4A Back Office Data Flow Security Confidentiality, integrity, and authentication mechanisms are implemented to protect data flows between back office systems or middleware and the secure zone.

2.5A External Transmission Data Protection
Sensitive data leaving the secure zone is encrypted.

2.6A User Session Integrity
The integrity and confidentiality of interactive user sessions connecting to the secure zone are safeguarded.
2.7A Vulnerability Scanning
Vulnerability scanning is conducted within the secure zone and on user PCs using an up-to-date industry-standard scanning tool.

2.8A Critical Activity Outsourcing
Critical outsourced activities are protected, at a minimum, to the same standard of care as if operated within the originating organisation.

2.9A Transaction Business Controls
Restrict transaction submission and receipt to the expected bounds of normal business.
5. Manage Identities and Segregate Privileges

5.3A Personnel Vetting Process
Staff operating the locally hosted SWIFT infrastructure are vetted prior to initial employment in that role and periodically thereafter.

5.4A Physical and Logical Password Storage
Any recorded passwords for privileged accounts are stored in a protected physical or logical location, with access restricted on a need-to-know basis.

6. Detect Anomalous Activity to Systems or Transaction Records
6.5A Intrusion Detection
Intrusion detection is implemented to detect unauthorised network access.

7. Plan for Incident Response and Information Sharing
7.3A Penetration Testing
Application, host, and network penetration testing is conducted at least annually within the secure zone and on user PCs.

7.4A Scenario Risk Assessment
Scenario-driven risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme.

Android bad luck this year! Do you think iPhone is Invulnerability?

Keep heard that vulnerability found on Android phone recently. For instance Dirty Cow attack, Drammer attack and Dangerous Pork Explosion backdoor. Do you think Linux operating system not secure anymore?

As far as I remember vulnerabilities found on Apple IOS not less than Android operation system. Can you imagine in what circumstance, XNU (X is Not Unix) can be compromised by hacker. iPhone architecture and its main components. The architecture uses the Darwin operating system, which includes the XNU kernel and system utilities.

What is XNU?

Darwin is an open source operating system released by Apple in 2000. Apple then built upon Darwin to create OS X and iOS. XNU is the computer operating system kernel developed at Apple Inc for use in OS X and iOS. XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. The components from 4.3BSD and an Objective-C API for writing drivers called Driver Kit. Up to 2016 iOS version details shown as below:

iOS has many similarities as Mac OSX on kernel components and functions. As mentioned, XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. In the kernel there are three important components. They are Mach, BSD and IOKit.

  •    Mach: Low level abstraction of kernel
  •    BSD: High level abstraction of kernel
  •    IOKit: Apple kernel extension framework

All the classes have a root object, called OS Object. OS Object mainly overwrite new operator to allocate memory, and declare init method to initialize the object self. Because of this fundamental design, few known vulnerabilities are happened in this area. An application may be able to execute arbitrary code with kernel privileges. Do you think iPhone is invulnerability? No, sure properly not. Found high level of risk vulnerabilities last few month (2016). Seems headline news not intent broadcast in high profile and therefore not to seriously shocks iPhone fans. For more details, please see below CVE for references:

  • CVE-2016-4778: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

  • CVE-2016-4777: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (invalid pointer dereference) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

  • CVE-2016-4738: libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Remark: Impact – Processing maliciously crafted web content may lead to arbitrary code execution

Xcode is a development environment which contains a suite of software development tools for the creation of OS X, iOS, WatchOS and tvOS software

  • CVE-2016-2315: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.
  • CVE-2016-2324: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow

Current summary:

Due to business requirement, life cycle of products become short and such a way shorten product development life cycle & test cycle. It is a joke!

Edward Snowden Heads up! Stranger, what do you want?

Enterprise firm execute data classification to protect corporate important data. Follow the code of practise, confidential data contained high level of sensitivity label requires encryption. The whistleblower Edward Snowden alerts the people in the world on 2013. But you might have question to ask till now, what sort of personal data we need to protect. Seems end user computing mostly ignore by users. The traditional idea is that we enforce the preventive control from server end. As times go by, mobile phone twisted the IT world. IT Renaissance, literally reborn. The usage of computer not limit to location and time zone. We can execute the remittance or payment on mobile phone. You do a backup or synchronize mobile data when go home. Sure you can upload everything on cloud.

In regards of global surveillance program by US government

It looks that surveillance program is a never ending story! Why? From official perspective domestic surveillance program can effectively monitoring terrorist attacks and criminal activities. NSA web page slogan have the following statement.

“Defending our nation. Securing the citizens.”

We have no objection that collection of internet data, mobile phone voice and data exchange as a weapon fright againts crime. To be honest we don’t have rights! But question raised how to identify the usage of this data?We are not the perpetrator, logically we might not afraid of this control?

Highlight the NSA data collection methoglogy:

  • Real-Time Yahoo Email Scanning
  • Domestic Intercept Stations
  • Bulk Collection of U.S. Citizens’ Phone Records
  • The PRISM Program: Source of Raw Intelligence
  • Google Cloud Exploitation
  • Cellphone Tracking
  • Spying Toolbox: Servers, routers, firewall devices, computers, USB, keyboard, wireless LAN, cell phone network & mobile phone
  • FBI Aviation Surveillance Operations (FBI Hawk Owl Project)
  • XKeyscore: Our Real-Time Internet Monitoring Capability

Above details not a confidential data, you can easy find this information. Please take a visit to NSA front page, for more details please see below:

https://nsa.gov1.info/surveillance/

US Government with high visibility statement let’s the citizens know they are under surveillance. A open method of NSA is use a tool so called “XKEYSCORE”. When an US speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/english” fingerprint (denoting language settings). When a browser visits a site that uses Yield Manager, a cookie will be set. This cookie is used to identify whether the browser has loaded an advert and when and where it loaded it (which detects Yahoo browser cookies).  Yield Manager also collects information such as:

– the date and time of your visit to the website.

– IP address.

– the type of browser you are using.

– the web page address you are visiting.

XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.

XKEYSCORE features highlight:

  1. Tracking Bridge Users
  2. Tracking Tor Directory Authorities
  3. Tracking Torproject.org Visits

See below part of the XKEYSCORE sourcecode can bring you an idea XKEYSCORE focus on TOR routers.

 

Traffic flows into an XKEYSCORE cluster, the system tests the intercepted data against each of these rules and stores whether the traffic matches the pattern.

But how about the hackers? Hacker also have interest of these data which NSA does. I believed that below checklist details lure hacker interest.

Internet application coding create a loophole make this cyber games become a never ending story.

Example:

  • Email accounts or passwords using session cookies
  • A common use for XSS is stealing cookies to hijack sessions and gain access to restrictedweb content
  • When cookie doesn’t have Secure flag set, then it can be sent over insecure HTTP (provided that HSTS is not used; HSTS is described in the next section). When this is a case, the attacker controlling the communication channel between a browser and a server can read this cookie. If the cookie stores session ID, then disclosure of this cookie over insecure HTTP leads to user impersonation.
  • When a cookie doesn’t have HttpOnly flag set, then JavaScript can read a value of this cookie. That’s why XSS attack leads to user impersonation if there is no HttpOnly flag set for a cookie with session ID. When a cookie has HttpOnly flag set, then attacker can’t read a value of the cookie in case of XSS attack. The problem is that access permissions are not clearly specified in RFC 6265. It turns out, that cookie with HttpOnly flag can be overwritten in Safari 8.

Short term conclusion:

No way because we are living on earth!

Reflections of memory resources management technique – Malware might say that his day is coming.

Few days ago, Linux world found potential vulnerability. A memory resources management , a technique so called COW (Copy-on-write) struggles IT world. The problem was that an unprivileged local user could use this bug to gain write access to additional read-only memory mappings. And thus execute a privilege escalation.

What is Copy-on-write memory structure?

Copy-on-write finds its main use in sharing the virtual memory of operating system processes.

Does it make whether apply to all computer OS system?

Typically the system structure involve fork system call are the Unix and Linux OS system – The fork() System Call .

Remark: In Linux, the key data structure is the struct task_struct. This contains pid (the thread ID), tgid (the process ID), and pointers to the parent process’s task_struct.

What is fork() system Call?

System call fork() is used to create processes. It takes no arguments and returns a process ID. The purpose of fork() is to create a new process, which becomes the child process of the caller. After a new child process is created, both processes will execute the next instruction following the fork() system call.

Major flaw of implicit sharing or shadowing (Copy-on-write)

The key to implementing direct I/O in the 2.6 kernel is a function called get_user_pages. But get_user_pages () do not check pte_dirty() bit properly.

Vulnerability found by Linus Torvalds. For more detail, please refer below url for reference.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619

 

How about Cloud computing architecture? Does it impact by similar flaw?

Since the flaw found on Unix or Linux base machine, a Linux based hypervisor have inherent risk before patch. It looks that this flaw may lure of attacker interest especially on cloud computing server farm. From technical point of view, the key to implementing direct I/O in the 2.6 kernel is a function called get_user_pages. A pointer to the task performing the I/O; its main purpose is to tell the kernel who should be charged for any page faults incurred while setting up the buffer. However get_user_pages () do not check pte_dirty() bit properly. What if an unprivileged local user infected by malware. The attacker relies this bug to gain write access to additional read-only memory mappings. And thus execute a privilege escalation. It looks that even though you install the advance defense mechanism is hard to detect this type of suspicious activities.

Suggestion

Since this bug contains unpredictable potential risk, it is better to patch your Unix or Linux system with immediate action.

We can foresee that the impact of this bug struggle the IT world. Since web server, local balancer, security devices, even though malware detector are using linux OS. It looks like it is a tsunami.

Information Supplement on 25th Oct 2016

The XNU kernel is used widely on many Apple devices, ranging from the iMac, to the iPhone. List of system calls from iOS 6.0 GM – see below:

Entry point is 0x80085084....This appears to be XNU 2107.2.33
Syscall names are @2a70f0
Sysent offset in file/memory (for patching purposes): 0x2ef0c0/0x802f00c0

Suppressing enosys (0x800b3429)  T = Thumb
1. exit                  801d4a74 T
2. fork                  801d7980 T
3. read                  801eb584 T
4. write                 801eb958 T
5. open                  800b13a4 T
6. close                 801ccab4 T
7. wait4                 801d56bc T
9. link                  800b18e8 T

The purpose of fork() is to create a new process, which becomes the child process of the caller. After a new child process is created, both processes will execute the next instruction following the fork() system call. Therefore, we have to distinguish the parent from the child. XNU kernel derived on BSD Unix. Believed that iOS might have similar vulnerability but not discovered yet!

Status update 10th Nov 2016 – For dirtyCow yara rule

rule DirtyCow Unix-Linux only {

strings:
   $a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }

   $b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }
   $b2 = { E8 ?? FC FF FF B8 00 00 00 00 }

   $source1 = "madvise(map,100,MADV_DONTNEED);"
   $source2 = "=open(\"/proc/self/mem\",O_RDWR);"

   $source3 = ",map,SEEK_SET);"

   $source_printf1 = "mmap %x"
   $source_printf2 = "procselfmem %d"
   $source_printf3 = "madvise %d"
   $source_printf4 = "[-] failed to patch payload"
   $source_printf5 = "[-] failed to win race condition..."
   $source_printf6 = "[*] waiting for reverse connect shell..."

   $s1 = "/proc/self/mem"
   $s2 = "/proc/%d/mem"
   $s3 = "/proc/self/map"
   $s4 = "/proc/%d/map"

   $p1 = "pthread_create" fullword ascii
   $p2 = "pthread_join" fullword ascii
condition:
   ( uint16(0) == 0x457f and $a1 ) or
   all of ($b*) or
   3 of ($source*) or
   ( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )

}