Category Archives: Uncategorized

Assurance level of 3rd party software – Part 1

Preface

As we know google did the 3rd party application assurance last few months. Their objective is intend to fight against unknown malicious code embedded in software.

Hidden malicious code history

Metamorphic code (Win32/Simile)  was born on 2002 written in assembly language which target Microsoft software operating system products. As time goes by, the 2nd generation of metamorphic code capable changing what registers to use, changing flow control with jumps, changing machine instructions to equivalent ones or reordering independent instructions.

*Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems (such as Windows and GNU/Linux) or even different computer architectures.

Malware/RootKit infection from software device driver to Smartphone

A revolution of technology world on 2007 driven by Apple iPhone and Android. Thus such a way driven malware and rootkit re-engineering their architecture. As a result, their implant destination not limit on device drive itself. It also includes smartphone 3rd party application.

Part 1 – Microsoft OS products, rooting your software driver technique overview 

An important step lets the hacker do the hook or infiltrate job is to identify the usable memory space.  A parameter so called KeServiceDescriptorTableShadow. Using KeServiceDescriptorTable variable exported by ntoskrnl.exe, we can get the address of KeServiceDescriptorTableShadow variable. KeServiceDescriptorTableShadow is an extension of
KeServiceDescriptorTable variable.

Below syntax get the address of KeServiceDescriptorTableShadow by comparing memories around KeServiceDescriptorTable.

typedef struct _SERVICE_DESCRIPTOR_TABLE { PULONG ServiceTable; // array of entry-points PULONG puCounterTable; // array of counters ULONG uTableSize; // number of table entries PUCHAR pbArgumentTable; // array of byte counts } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

Below syntax is retrieves its address in different version of Windows.

PSERVICE_DESCRIPTOR_TABLE QuerySDTShadow()
{
 ULONG Index;
 PUCHAR SDTShadow;
 UONG MajorVersion, MinorVersion, BuildNumber;
 UNICODE_STRING &CSDVersion;
 PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
 __try
 {
 if(MajorVersion == 5 && MinorVersion == 1) // Windows XP
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable - 0x40);
 else // Windows 2000, or Windows Vista
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable + 0x40);
 for(Index = 0; Index < 0x1000; Index ++, SDTShadow ++)
 {
 KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
 if(KeServiceDescriptorTableShadow == &KeServiceDescriptorTable)
 continue;
 if(memcmp(KeServiceDescriptorTableShadow, &KeServiceDescriptorTable, 0x10) == 0 
 && ((UCHAR)KeServiceDescriptorTableShadow->ServiceTable & 3) == 0)
 {
 return (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
 }
 }
 return NULL;
 }
 __except(1)
 {
 return NULL;
 }
}

Below details on the picture left hand side show you the step how to relies on driver hook into the kernel process. In end-user point of view, there is a simple way to identify the current driver load into your PC or server. You just execute a command fltmc in your MS-DOS prompt. There is not require any assembly language knowledge. It is a simple and direct path to let you know how many 3rd party driver load into the windows kernel. For more details, please refer to right hand side in below picture.

 

Hacker is difficult to find available address space due to ASLR technique. (see below URL for reference)

The enemy of ASLR (Address space layout randomization) – memory leak

Even though ASLR has design limitation might have possibility let hacker implant malware. However a better idea is that take easy way instead of difficult way. A way confirm that it is possible. From technical point of view, ASLR avoid hacker know the actual memory address.  How about run the malicious code driver and ASLR mechanism at the same time (simultaneously).That is pre-install a 3rd party driver with malicious code embedded then load the software driver during operating system startup. The way similar antivirus product using API hooking allows the antivirus to see exactly what function is called.

- Loading drivers
- Starting new processes
- Process executable image
System DLL: ntdll.dll (2 different binaries for WoW64 processes)
- Runtime loaded PE images – import table, LoadLibrary, LoadLibraryEx[1], NtMapViewOfSection

Antivirus software may use SSDT hooking (System Service Dispatch Table hooking) on 32-bit operation.  On a 64-bit system, a KM (kernel module) driver can only be loaded if it has a digital signature. And therefore hacker could be focus on 32 bit OS instead of 64 bit.

How to run 32-bit applications on x64?

In order to maintain complete code separation, running 32-bit code on a 64-bit operating system design with a destinate folder named \Windows\SysWOW64 that is used to store the 32-bit DLLs to meet the design objective. Meanwhile the x64 version of Windows uses the \windows\system32 folder for 64-bit DLLs. Below diagram shown that the WOW64 emulator responsible for file system redirection for several key components of the Windows operating system.

To identify 32 bit and 64 bit environment changes depending on the registry key. For instance, the ‘rundll32’ is point to the specify registry (HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\CurrentVersion\Run).

Therefore it will execute the following command.

C:\Windows\SysWOW64\rundll32.exe

This is the 32-bit version program thus everything will be remapped accordingly (see below diagram for reference)

Above details shown the registry and file redirection mechanism to execute 32 bit application on 64 bit of operating system. It looks fine that application not possible to work with incorrect bits environment since it governance by registry. However a fundamental design architecture looks provide benefits to the hacker (see below diagram for reference):

Above diagram indicated that software device driver module allow 32-bit software driver go thought module (WOW64) communicate with 64-bit Kernel function. So it has possibility go through the software driver then compromise the system. From security point of view, the server or workstation Antivirus processes will keep track all DLL activities on directory (c:\windows\SysWoW64). So what is the malware next action?

Malware next action

A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring. A hacking technique so called Register load image callback (see below)

PsSetLoadImageNotifyRoutine

How to prevent PsSetLoadImageNotifyRoutine

Microsoft have solution available against register load image callback flaw. Developer can define a minifilter (FltGetFileNameInformationUnsafe) to confirm the routine returns name information for an open file or directory. And therefore it is the way to avoid the fundamental design limitation of API system Call mechanism (PsSetLoadImageNotifyRoutine).

But what is the causes for system developers not intend to use this preventive mechanism.

FltGetFileNameInformationUnsafe allocates it’s own memory for the structure. As a result it will encountered blue screen and system crash once 3rd party software driver not follow the SDLC (software development life cycle).

Alternative type of attack  (This time does not intend to discuss in detail)

A rootkit will create a hidden partition, at the end of the drive, 1 – 10 MB in size and set itself as the boot partition. Hence, the rootkit is already running before Windows loads. This hidden partition will not show up on Windows Disk Management in most cases.

Rootkit categories:

Operation feature

Persistent rootkit is one that is activated every time the system starts up.

Non-persistent rootkit is not capable of automatically running again after the system has been restarted.

Operation mode

User mode: this kind of rootkit hooks system calls and filters the information returned by the APIs (Application Programming Interface)

Kernel mode : these rootkits modify the kernel data structures, as well as they hook the kernel’s own APIs. It compromise the antivirus program at the same time. This is the most reliable and robust way of intercepting the system.

Summary:

Even though your IT infrastructure install full scope of detective and preventive control facilities. The 3rd software driver will broken your security facilities. Perhaps you have SIEM and central log event management product however such malicious activities is hard to detect since it is running in Kernel (Ring 0).  So a standard policy on software usage is critical goal on today cyber technology world. Believe it or not, a 3rd party software driver embedded malicious code can break your great wall.

 

 

 

 

 

 

 

Security Alert ! Trap of wannacry – status update on 29th May 2017

Is it anti-tradition? IT folks, do you white list ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. Expert was told, the strange design of Wannacry will stop spread the ransomware to known subnet once he can get in touch with his C&C server. But do you think this is a trap? I speculated that ramsomware intend to create this trap fool the guy who think this is a solution and then can easy go to their internal network in 2nd phase. So the better idea is that do not input this domain into your whitelist. Cheers!

Information update on 18th May 2017

Recently Wana Decrypt0r 2.0 C&C server:

  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Wana Decrypt0r 2.0 modify the Windows Registry Editor and target the following sub-keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\WanaCrypt0r\
HKCU\Software\WanaCrypt0r\wd
HKCU\Control Panel\Desktop\Wallpaper

Encryption algorithms:

  • AES (Advanced Encryption Standard) 128 –  cannot be decrypted the file until you receive the FEK (File Encryption Key). This key may be the only method to decrypt the files .

Structure of an Encrypted File

Rivers-Shamir-Adleman or RSA – Wanncry design objective intent to generate unique public and private keys for each of the files. This makes the decryption of each file separate and very difficult and unique process.

Observation:

Attention: If no data backup on hand, it is hard to say pay the ransom is the solution. Since WanaCrypt0r .WNCRY contained extreme destroy concept and enforce to delete the shadow volume copies and eradicate all chances of reverting your files via backup on the infected computer (see below destroy scenario command syntax). The security concern is that it is hard to guarantee that it is virus free after hard disk encrypt on victim machine. As a matter of fact, WannCry via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware. No evident to proof that WannCrypt0r will remove his footprint after victim pay the ransom and therefore victim machine still vulnerable until execute a low level format of the hard disk and reinstall all the application. But it is hard to tell at this moment. Therefore it must be handle the data carefully after you pay the ransom.

The extreme destroy command syntax are shown as below:

  1. vssadmin delete shadows /all /quiet2.
  2. wmic shadowcopy delete

Remark: At user level below command can do in the following step: Go to Start Menu-All Programs-Accessories,then right-click Command Prompt and select Run As Administrator,because Administrative privileges are required to use BCDEdit to modify BCD

3. bcdedit /set boostatuspolicy ignoreallfailures
4. bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Hints and Resolution found on 19th May 2017

Hints that Windows 7, XP, Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2 instead of Windows 10 . The OS itself  keeps a copy of the two prime numbers that it provided to WannaCry in memory.  Those primes can be recovered. It is possible to relies on this feature to compute the encryption key and then used to decrypt all encrypted data. A tool make use of above criteria and might have way to decrypt your data. For more details, please refer to below url for reference.

https://github.com/aguinet/wannakey

If above hints can’t help and you would like to keep the encrypted data. You can do the following.

Backup all your files (00000000.eky and remaining files). May be in future, there is new resolution which provide the key decrypt your data.

Proof of idea! Who bear unredressed injustice APT activities in 2013.

Wiki released confidential document on 28th April, 2017, the details is exposed how government enforcement agency (CIA) counterfeit Russian and Chinese cyber activities. We receive the basic understanding of the Scribbles . To be honest, it is common that when government agency take the criminal action. However of this confidential information exposed. My reflections drive me to review my former written articles on other discussion forum during 16th April 2016. I was question that engage the investigation on Advanced Persistence threat (APT) might mislead the direction of the result. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. The overall idea to me on this issue, I can do a scenario replay to assembly the story. Since this is only my speculation and imagination. As a matter of fact, it looks with high possibility. If you are interest, please go ahead to read more.

The story given out from my memories, it is talking about 4 years ago. The senior person (owner) of a consulting company email account was hacked. The security guru found that there is a Advanced Persistence threat (APT) activities given by China. A rumours were told that the people who found this so called Advanced Persistence threat (APT) is the anonymous group. This powerful under ground group found out this incident and intend to provides hints and finger print let the security consultant found out the truth. My personal opinion is that such incident might contained some shadow node. Also it is easy to counterfeit the attack. Today it looks that the secret information exposed by Wiki leak provides more possible factors. At the same time it make people queries the result in 2013. At least I am the one who question this result. Below is my speculation how CIA counterfeit the cyber activities let the APAC countries especially China bare unredressed injustice causes.

Latest WikiLeaks release shows how the CIA uses computer code to hide the origins of its hacking attacks and ‘disguise them as Russian or Chinese activity’

https://wikileaks.org/vault7/?marble#Marble

Recap my discussion details on 16th April 2016

An unauthorized person gains access to a network and stays there undetected for a long period of time. Cyber security terminology so called APT attack. APT style attack confused security experts. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. It is a sword. Careerist can blame another country that they are dishonest using internet. Who’s cast a unrighted wrong, believed that attached diagram can provide an idea to you in this regard.

 

 

 

ATM thieves are all in jail. Can you tell me that bank ATM environments are safe now?

Happy Lunar New year 2017

Modern people daily habits looks different when we compared 10 years ago. My wallet has ATM card & Octopus. On my mobile phone there are few options allow pay online. The trend of cyber security addressed how important of end user computer today. Even though back end system protection looks like Royal castle or Pentagon. Who knows their electronic devices has been compromised by hacker. We all busy today, right!

Regarding to cyber attack historical records for financial institute environment , hacker compromised end user machines (customer end point) causes disaster level of outbreak. The statistic summary were told that the possibilities looks lower. Conversely, the most serious of injury was that a inside threat happened in their infrastructure instead of external threat.

Three Eastern European men were arrested in Taiwan in July, 2016 on suspicion of collecting cash stolen from ATMs owned by First Commercial Bank. Refer to the investigation summary of Europol, the specifics cyber attack machanism used spear-phishing emails containing malicious attachments to target bank employees and penetrate the bank’s internal networks.

Below articles is my prediction last year of this incident for reference.

Published on 31st Aug 2016

Possibility – scenario replay (implant Rootkit on BIOS causes ATM machine crazy)

Summary:

Since ATM thieves are all in jail. Can you tell me that bank ATM environments are safe now? Who knows?

More reference:

http://www.reuters.com/article/us-taiwan-cyber-atms-idUSKBN14P0CX

Happy Lunar New Year 2017

 

 

 

Does it like science fiction description, computer governance this world?Who we are? – part 1

Did you read science fiction book? For instance Terminator, Matrix …etc. The overall idea of the story reminded that computer system is the governor of human being finally. Human being under their control. Can nightmare come true?

Computer technology growth rapidly after year 2000. Still remember that our team concerns thousand years worm interfere the computer clock during that day. But wake up next morning feeling that the technology go to new century.

This topic brings to my attention and the informations pulling myself go to science technology instead of IT technology. The digital DNA term I heard from HB Gary. Yes, he is the former malware hunter. Their services provides advance detection and prevention solutions to government sector and financial institution. But the nature of digital DNA here looks have difference. This element (digital DNA) is equivalent to human being component. As we know, the origin of human life through chemical evolution. Two important of points drawn to biological evolution shown as below:

  1. Living things descended from a common ancestor and thus have common chemistry.
  2. Living things adapt to their environment.

Without DNA, it would be impossible to pass on adaptations, and evolution would be virtually non-existent.

Genesis element – DNA or digital DNA

Genesis element – Quantum

Quantum theory distributed in major IT technology domains. They are network communications, encryption and quantum computing. The major component of quantum computing is quantum bits. One of the great challenges for scientists seeking to harness the power of quantum computing is controlling or removing quantum decoherence – the creation of errors in calculations caused by interference from factors such as heat, electromagnetic radiation, and material defects.

Read more at: http://phys.org/news/2015-04-scientists-critical-quantum.html#jCp

Genesis element – Adaptation

Adaptation: a characteristic that makes an organism to survive and reproduce in its environment. The adaptations are more likely to survive and procreate. Without DNA, it would be impossible to pass on adaptations, and evolution would be virtually nonexistent.

Up until now, artificial intelligence growth rapidly. 3 major elements has been established. In fact it is not mature today. However nobody know how fast developing in this area. Since some of the technologies are the intellectual proprietary. The simple we can say, …

who have privileges to governance in earth, all depends on intelligence.

Radar revolution – from defensive evolve to attack

Electronic technology especially Radar system far away from people common knowledge. May be you and me have chance read the scientific magazine or News learn the idea. It is a advanced technology of defence department for country. Still remember that learn VHF or UHF technologies in school. The frequency ranges are shown as below:

At that time I only focus of walkie talkie technology and did not care of radar system structure!

Bring to my attention till heard a military weapon AN/TPY-2 is going to install in APAC country. It looks that this news struggle especially China and neighbour countries.

Let’s have quick view of radar design types. Then go to discuss AN/TPY-2. Two basic radar types are pulse transmission and continuous wave. For differences between the design type, please refer to below chart.

How powerful is the AN/TPY-2 system

Refer to the picture of this subject matter, a quick overview of X-band and S-band technologies might bring an idea to you that the wave length (lambda λ) affects the precise level of hitting the target. The X-band wavelength is about 1/4 of S-band wavelength. The tolerable level of hitting to target error significantly improved. X band radar system working with military satellite. It can easily destroy the missiles on the land before it fire. The X-band frequency and narrow beam widths add the additional advantage targeting smaller objects.

Narrow beam widths benefits:

Question:

Know above details might have question to ask? It looks that whole bunch of benefits but what the reason we need this facilities. Is it for defence or other reasons?

 

Virtual machine architecture enemy – LKM rootkit

If someone ask you a question. What is the enemy of cloud computing architecture? Yes, we believed that more details can be provided. For instance Distributed Denial Of Services, malware, virus, misconfiguration,…etc. But what do you think the influence of rootkit? Since Micro-segmentation architecture assists cloud computing services provider build their campus. From general point of view, system OS platform and application run on top of virtual environment are easy to manage. All system and users activities will be managed and monitored by hypervisor. What if unknown signature shell code attack to virtual machine? Is there any possibilities influence the neighbor system on same premises? Let’s do a quick review and then jump to discussion.

The fundamental of hypervisor

Bare-metal hypervisor

Provides partition isolation, reliability and higher security.It has no host OS layer to attack theoretically.The bare metal hypervisor base design products includes Oracle VM Server for SPARC, Oracle VM Server for x86, the Citrix XenServer, Microsoft Hyper-V and VMware ESX/ESXi.

Hosted hypervisor

Low cost, no additional drivers and ease of use and installation.The hosted hypervisor base design products includes VMware Workstation, VMware Player, VirtualBox, Parallels Desktop for Mac and QEMU.

Arm-based hypervisor

System virtualization for ARM is useful for mobile device and future ARM based server.Cell phones and Internet of Things are the arm-based hypervisor setup.

Types of Hypervisor – Informatic diagram:

This section we focus on bare metal hypervisor security outline. In the virtual machine world, linux system are everywhere. Even though the hypervisor is the linux based system or modified linux system built. The critical OS systems being relocated to Linux system platform last 5 years. Besides, the cell phones based on Linux OS become the main trend today. No matter it is Apple or Android, their core is the linux system. We relies on SSH connectivity today, it adopted by IT industry. A question might get in your mind, is it possible to re-engineer the SSH become a cyber weapon?Regarding to the cyber incident historical records, hacker start this idea earlier in 2015. We remember the XOR-DDOS attacks criteria , hackers cocktail the attack mechanism run in hybrid mode. Both SYN and DNS flood generated by the Xor.DDoS Malware. The attacker will send many SYN packs to victim host with multiple sources and launched on port 22 (ssh). Yes, the hacker take the popularity of SSH because it is a harmonized standards across the IT world.

Famous rootkit against linux environment

Phalanx: This rootkit uses /dev/mem/ interface to inject hostile code into kernel memory and hijack system calls. It has been designed for compromising the Linux 2.6 branch. Phanlanx design for harvest SSH keys and other credentials. Since Phalanx attack found on 2008 and file record by CERT. But this attack technology still valid today.

Phalanx characteristic:

Hooking lookup Tables, Code patching & Hooking CPU registers

Ebury SSH Rootkit: In February 2013, CERT-Bund started analyzing Ebury in depth and was able to identify thousands of systems around the world infected with the malware. Ebury is a SSH rootkit/backdoor trojan for Linux and Unix operating systems. The 1st attack phase is going to replacing SSH related binaries on a compromised hosts. The non genuine SSH program so called Ebury, the goal is going to steal SSH login credentials (username/password) from incoming and outgoing SSH connections. But taking about the privileges escalation feature, it was not included in Ebury feature. When it compared with Phalanx , Ebury is easy to detect.

What if hacker sojourn rootkit in kernel. Is there any possibilities influence the neighbor system on same premises?

The guest machine compromised,  however hacker might have difficulties drill down to low level system area. For instance, bare-metal hypervisor contain good isolation level. Is there any possibility engage a ring-0-attack, that is running malicious call in memory level.

Is that no way? But hacker will spend time on harvesting in memory side

When running a virtual system, it has allocated virtual memory of the host system that serves as a physical memory for the guest system, and the same process of address translation goes on also within the guest system. This increases the cost of memory access since the address translation needs to be performed twice – once inside the guest system (using software-emulated shadow page table), and once inside the host system (using hardware page table). Whereby a memory management technology (Second Level Address Translation (SLAT)) was born, his duty is going to enhance the usage of memory resources in the virtual world.

About (Second Level Address Translation (SLAT)) inherent risk

SLAT schemes such as Intel’s Extended Page Tables (EPT) and AMD’s Nested Page Tables (NPT) as shown below diagram are used to manage the virtualized memory directly from the processor. Using a larger Translation Lookaside Buffer (TLB) with additional logic circuitry inside the processor, these schemes provide faster virtual machine memory management by eliminating the intermediary step between the virtual memory address (VA) and the physical memory address (PA).

Refer to above diagram, the TLB table has the option that indicates if the received data is from a virtual machine or the native machine. Also, if the data is generated by a virtual machine, then it is tagged with that specific VM’s Address Space Identifier (ASID). Using this tag, the TLB can keep track of entries from different virtual machines in the physical machine. This method provides a significant performance improvement in VM memory management but also introduces a security risk by giving direct memory access to the guest VMs.

Remark:  Above inherent risk information details (security risk of SLAT) copy from technical article Fine grain Cross-VM Attacks on Xen and VMware are possible!
Gorka Irazoqui Apecechea, Mehmet Sinan Inci, Thomas Eisenbarth, Berk Sunar Worcester Polytechnic Institute {girazoki,msinci,teisenbarth,sunar}@wpi.edu

We stop here! It was too long and boring. I am afriad that reader might lose the interest, right? Will provide update soon!

 

 

SSL or IPsec , where to go? Critical bug found by Cisco , but its effects might jeopardizing the IT world.

Background Story:

POODLE attack exploit SSL 3.0 vulnerability found in late 2014, such vulnerability proven that hacker can take this vulnerability advantages execute man-in-the middle attack.

The original POODLE attack is CVE-2014-3566.
F5 Networks files CVE-2014-8730 proof POODLE attack also apply to transport layer security. Since the poodle side effects looks widely spread out, Payment card industry authority alerts and announce that they gives 14 months to merchants fix this high risk SSL problem. That means the appropriate way is replacing the SSL function (see below statement).

SSL and early TLS are not considered strong cryptography and cannot
be used as a security control after 30th June, 2016.  Prior to this date, existing
implementations that use SSL and/or early TLS must have a formal Risk Mitigation  and Migration Plan in place.  
Effective immediately, new implementations must not use SSL or early TLS.  
POS POI terminals (and the SSL/TLS termination points to which they connect)
that can be verified as not being susceptible to any known exploit
s for SSL and early TLS may continue using these as a security control after 30th June, 2016.

About the subject matter ( Cisco ASA software IKEv1 and IKEv2 buffer overflow vulnerability (CVE 2016-1287)

CVE 2016-1287 was published Feb this year, the founding was that hacker can make use of IKEv1 and IKE v2 vulnerabilities execute a fragmentation heap buffer overflow. The traditional  heap overflow is a form of buffer overflow. It happens when a chunk of memory is allocated to the heap and data is written to this memory without any bound checking being done on the data. Regarding to the information provided by Cisco, such vulnerability affected to Cisco ASA Software running on the following products.

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance

But information supplement posted by Cisco bring to my attention. See below:

Cisco ASA Software is not affected by this vulnerability if the system is configured to terminate only the following VPN connections:
Clientless SSL
AnyConnect SSL

My understanding is that you can avoid such vulnerability occurs on Cisco products if you are using SSL 3.0 solution. But how about the PODDLE attacks? Besides, this buffer overflow on IKEv1 and IKEv2 looks not limit to Cisco brand name. May be it does not proof or found in the moment. As far as we know, firewall appliances operartion system build by Linux normally. The vendor hardening the OS and add their proprietary applications on top. If attacker can send crafted UDP packets to the affected CISCO products. Is there any possibilities engage similar attacks to other similar OS platform firewall?

Expert analysis on weakness of design

The IKE protocol uses UDP packets, usually on port 500, and generally requires 4–6 packets with 2–3 turn-around times to create an SA on both sides. The negotiated key material is then given to the IPsec stack. If an attacker can send crafted UDP packets to the related firewall products. It looks that similar vulnerability might occurs? The side effects looks serious. The following areas are vulnerable.

 

  • LAN-to-LAN IPsec VPN
  • Remote access VPN using the IPsec VPN client
  • Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
  • IKEv2 AnyConnect

Expert solution:

(薑越老越辣) The older you get the more experienced you are,Chinese mantra said. The potential damage of this vulnerability was that both two entities (access control and VPN functions) are seat in the same box. If we define separation of functions might mitigate this risk. That is relocate the VPN feature to another box. Do you still remember that the Father of firewall (Checkpoint). Their Firewall design framework was that access control and  policy server are running in different boxes. The designer foresee that a single point of failure causes compromise of whole defence system. The cyber world atmosphere has been changed after Unified Threat Management appears in the world. As times go by, maybe new generation of firewall coming soon. Hardware are cheap today. Multi layer functions setup is the fashion cope with advanced cyber threats.

 

Cisco technical article in regards to CVE 2016-1278

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

PCI – standard : SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016. Please refer to attached document (PCI requirement 2.3 on page 5).

https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3-1.pdf

 

Wide Angle Lens For DNC Hack (Part 1)

The headline news this week focus 2016 election of US president scandal.Just heard email leakage by Mrs. Hillary Clinton. The election in political world is a War instead of competition. This articles focus on unexplored information in DNC hack incident.

Findings by Invincea

The technical report provided the analytic that DNC hack incident caused by Trojan. Hackers modified end-of-life software product. The hacker injects Trojans and Malware functions into software. The software developed by China application vendor (Xten), it aimed to enhance voice stability operations in firewall environment. The software such a way involved unredressed injustice. Regarding to the report, hackers relies on Remote Access Trojan (RAT) technique sojurn to workstations belongs to Mrs. Hillary Clinton. The finger print shown that the hack group might belongs to APT 28. Regarding to the virus incident track records, the source IP address of this Trojan (Malware) came from 85.117.47.0/24.

How was it infect?

The infection method was that unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Wide Angle Lens – invaded DNC

1st version of Trojan (born before 2010):

Check repository of virus database. The anti-virus vendor Symantec found this virus in 2010. His naming convention is “Generic Trojan”. However this Trojan (malware) headache Symantec more than 2 years. The problem was that antivirus program quarantine the execution file of Generic Trojan. The sterilize step is going to rename the original file name DWHwizrd.exe to DWHxxx.tmp. However Symantec customers found that virus alert message pop-up after Trojan quarantined. Symantec technical support provides many solution to client. But unfortunately problem still persists. The customer report that virus alert displayed on screen even though you delete all the temp files. Heard that problem was fixed in mid of 2012.

Why does hacker reuse this Trojan (malware) ?

Since China software house (Xten) created a family of SIP products based on their XTunnel protocol and run on top of windows. The benefits is that the software establish voice IP tunnel might mislead the technical staff and security administrator. They think she is using soft-phone! As usual traffic encrypted and therefore firewall can’t monitor. Or this is her personal computer, no nobody know what is happen?

Hacker relies of the software vulnerabilities re-issue next generation of Trojan.

The Xten software is a windows base open source tool and it is end of product life cycle. I believed that it is a easy way for hacker design a Trojan in short time. Since MD5 checksum different for new generation of Trojan. Therefore antivirus vendor may not aware until user report. But personally, I suspected that hackers might know the weakness of anti virus program install on target machine and custom made virus or trojan (malware). Symantec found the Trojan file name in 2010 is DWHwizard.exe. Invincea found the malicious file on victim workstation with naming convention vmupgradehelper.exe. It looks that anti-virus programs are able to detect this Trojan after 11th July 2016 (Hillary email leaks scandal open to public).

Doubts:

1. Since Xtunnel establish site to site connection. Mrs. Hillary Clinton works with US government at that time. It was confused that the defense mechanism in US government did not alert the victim workstation connect to APT 28?

2. Even though Mrs. Hillary Clinton not working in office. Do you think there is only one cyber defense program (antivirus) install on such important person workstation?

Headline News status update on 31st Jul 2016

http://www.nytimes.com/2016/07/30/world/europe/dnc-hack-russia.html?_r=0

Expert findings – so called Russian Xtunnel

https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/

 

Meteor shower – Apple iPhone

It is hard to imagine that hacker can jailbreaks Apple iphone device over the air! Oh, a national level of action task can do anything! No need to mention this news too much. You can find out the details when you do a google search, right? OK, we discuss those vulnerabilities into a little bit details. There are total no. of three vulnerabilities found by security experts (CVE details shown as below):

CVE 2016-4657: WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

CVE 2016-4656: The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

CVE 2016-4655: The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.

Surprise, it jailbreak the iPhone over the air!

Step 1. Hacker lure the victim execute a click on SMS, a automatic redirect action engaged and forward iPhone to web site (sms.webadv.co) and download the payload immediately.The objective is going to delivery WebKit applications vulnerability.

Attacking WebKit Applications by exploiting memory corruption bugs:

Design weakness:

Every WebKit object is RefCountedBase object

Mobile Safari and most of WebKit Apps leak address – Fill in another object and use the JS pointer of the old object to read information of the new object

 

 

Step 2.1:  CVE-2016-4656 (Kernel Information Leak Circumvents KASLR)

It is the most difficult part because Kernel Address Space Layout Randomization
(KASLR) mapping the kernel into different and unpredictable locations in memory. The attacker has found a way to locate the kernel by using a function call leaks the kernel’s actual memory location to be mapped. For instance, it is possible to leak information about memory layout using format string vulnerabilities.

Remark: format string exploits can be used to crash a program or to execute harmful code

Step 2.2: CVE 2016-4657 (Memory Corruption in Kernel leads to Jailbreak)

The JavaScript core of WebKit uses JIT, to do this it require an area of memory which is both writable and executable. With the reverse engineer software like malware. A function so called “allocateJIT” is the perpetrator. If a syscall instruction is executed from within JIT shared memory. The malicious software  can execute privilege escalation.  The last stage is deploys a number of files deployed in a standard unix tarball.

Observation – Why was apple only release the patch can fix this design bug?

Predict that Apple added their own privilege checks in the kernel; only processes which pass these checks are allowed to use JIT.

Is that mean the national security agency can export the data from iphone? There is no need to request escrow key from Apple?

Since above flaws let mobile phone compromised. Hacker can remote control the phone for recording voice call, take photo shot send to their end. The personal data inside iphone is available to export. From technical point of view, there is no need to request escrow key! See how important of the overall design? Although the crypto mechanism  integrate to hardware mitigate the risk, however a flaw such a way crack down the Apple protection wall!