Category Archives: Uncategorized

12th Jul 2018 – ISC Kea 1.4.0 failure to release memory may exhaust system resources

CVE-2018-5739: ISC Kea 1.4.0 failure to release memory may exhaust system resources

Hook/Hook Point – used interchageably, this is a point in the code at which a call to user functions is made. Each hook has a name and each hook can have any number (including 0) of user functions attached to it. Store leases and host reservations in a MySQL, PostgreSQL or Cassandra database rather than a text file.

official document for reference:

Jun 2018 – ALL NIPPON Airways Security Advisories

ALL NIPPON Airways Security Advisories

Airline application and protocol are proprietary in past 2 decades. The Airline terminal guarantee the reliability. Any counterfeit transaction or cyber attack no way to happen there. As times goes by, Airline industry react to develop mobile apps to expand the business function goal to cope with modern world. Japan airline is one of the responsible company. They are not intend to hide their mobile application design weakness. Believe that the specify design weakness not only happens on ANA airways mobile apps. May be it happen in other mobile apps but some of the company not aware or ignore.

Official announcement (see below):


Found buffer overflow, integrate overflow & memory corruption in redis – Jun 2018

If you have a database of geo-located data, what is the appropriate database setup? The geospatial require fastest database so Redis is one of the option.Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. It supports data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs and geospatial indexes with radius queries. Found buffer overflow, integrate overflow & memory corruption in redis. Technical details shown as below:

CVE-2018-12326, CVE-2018-11218 & CVE-2018-11219:


Dark power (malware) jeopardize the open geospatial data:

Dark power (malware) jeopardize the open geospatial data


Heads-up: Low-end Wi-Fi router vulnerability – 24th May 2018

Botnet from earlier phase relies on workstations engage the attack convert to smartphones in last few years. Most likely the security enhancement in workstations and smartphones improved. The threat actors found the new victims today.It is a low-end wireless router.

So below items are the guidance:

  • Never trust input
  • Prefer rejecting data to filtering data
  • Every component should validate data

Whereby the way to validate the input are:

  • Indirect selection – application never directly uses user input
  • Whitelist
  • Blacklist

If required input, do the validation actions:

  • Sanitize – Attempt to fix input by removing dangerous parts
  • Refuse to use invalid input
  • Record invalid input in log file
  • Alert – send notification to related personnel

The devices which could be affected by new malware (vpnfilter). Below is the checklist for reference.









Special Item: QNAP DEVICES  (Network-attached storage)

TS439 Pro
Other QNAP NAS devices running QTS software

The US Securities and Exchange Commission (SEC) new guidance

Big country versus Big discussion:

The US Securities and Exchange Commission (SEC) released a statement urge high-ranking executives not to trade stocks before the disclosing breaches, major vulnerabilities, and other cybersecurity related incidents.

New guidance –

Meanwhile Intel release guidance this week (details of availability and schedule for microcode update). For more details, please see below url for reference.

It is a funny cyber and economic world!



Staying alert – vulnerability found on ABRT in 2015 – CVE-2015-1862

As times go by, Linux especially Fedora replace the position of microsoft windows. This status no popular in personal PC however investment bank environement especially broker and forex exchange trading firm might using intensively. A vulnerabiity found on 2015 but the status of fedora bugzilla display that this is not a bug. My idea is that we must staying alert. Bugzilla status shown as below url:

Alert: Cisco CVE-2018-0125,CVE-2018-0117,CVE-2018-0113,CVE-2018-0116

Staying alert – Your Cisco products Cisco

RV132W and RV134W Remote Code Execution and Denial of Service Vulnerability – CVE-2018-0125 (Critical)

Cisco Virtualized Packet Core-Distributed Instance Denial of Service Vulnerability – CVE-2018-0117 (High)

Cisco UCS Central Arbitrary Command Execution Vulnerability – CVE-2018-0113 (High)

Cisco Policy Suite RADIUS Authentication Bypass Vulnerability – CVE-2018-0116 (High)

Observation: Since threat actors are around the world today. It is hard to avoid vulnerability happen perhaps it is out of hardware vendor control. In order to avoid unforseen issue occurs, it is better to enhance your IDS YARA rules or invite manage security services vendor to protect your IT campus.


Merry X’mas 2017

Christmas evolved over two millennia into a worldwide religious and secular celebration. We sing the song (Silent night, holy night) tonight. Let’s celebrate Christmas honoring the birth of Jesus Christ. Our friend computer system also say celebration but it is a hex code (48 61 70 70 79 42 69 72 74 68 64 61 79 4a 65 73 75 73 20 21 ). That’s is Happy Birthday Jesus. We wish you Merry X’mas and Happy new Year.

Assurance level of 3rd party software – Part 1


As we know google did the 3rd party application assurance last few months. Their objective is intend to fight against unknown malicious code embedded in software.

Hidden malicious code history

Metamorphic code (Win32/Simile)  was born on 2002 written in assembly language which target Microsoft software operating system products. As time goes by, the 2nd generation of metamorphic code capable changing what registers to use, changing flow control with jumps, changing machine instructions to equivalent ones or reordering independent instructions.

*Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems (such as Windows and GNU/Linux) or even different computer architectures.

Malware/RootKit infection from software device driver to Smartphone

A revolution of technology world on 2007 driven by Apple iPhone and Android. Thus such a way driven malware and rootkit re-engineering their architecture. As a result, their implant destination not limit on device drive itself. It also includes smartphone 3rd party application.

Part 1 – Microsoft OS products, rooting your software driver technique overview 

An important step lets the hacker do the hook or infiltrate job is to identify the usable memory space.  A parameter so called KeServiceDescriptorTableShadow. Using KeServiceDescriptorTable variable exported by ntoskrnl.exe, we can get the address of KeServiceDescriptorTableShadow variable. KeServiceDescriptorTableShadow is an extension of
KeServiceDescriptorTable variable.

Below syntax get the address of KeServiceDescriptorTableShadow by comparing memories around KeServiceDescriptorTable.

typedef struct _SERVICE_DESCRIPTOR_TABLE { PULONG ServiceTable; // array of entry-points PULONG puCounterTable; // array of counters ULONG uTableSize; // number of table entries PUCHAR pbArgumentTable; // array of byte counts } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

Below syntax is retrieves its address in different version of Windows.

 ULONG Index;
 UONG MajorVersion, MinorVersion, BuildNumber;
 PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
 if(MajorVersion == 5 && MinorVersion == 1) // Windows XP
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable - 0x40);
 else // Windows 2000, or Windows Vista
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable + 0x40);
 for(Index = 0; Index < 0x1000; Index ++, SDTShadow ++)
 KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
 if(KeServiceDescriptorTableShadow == &KeServiceDescriptorTable)
 if(memcmp(KeServiceDescriptorTableShadow, &KeServiceDescriptorTable, 0x10) == 0 
 && ((UCHAR)KeServiceDescriptorTableShadow->ServiceTable & 3) == 0)
 return NULL;
 return NULL;

Below details on the picture left hand side show you the step how to relies on driver hook into the kernel process. In end-user point of view, there is a simple way to identify the current driver load into your PC or server. You just execute a command fltmc in your MS-DOS prompt. There is not require any assembly language knowledge. It is a simple and direct path to let you know how many 3rd party driver load into the windows kernel. For more details, please refer to right hand side in below picture.


Hacker is difficult to find available address space due to ASLR technique. (see below URL for reference)

The enemy of ASLR (Address space layout randomization) – memory leak

Even though ASLR has design limitation might have possibility let hacker implant malware. However a better idea is that take easy way instead of difficult way. A way confirm that it is possible. From technical point of view, ASLR avoid hacker know the actual memory address.  How about run the malicious code driver and ASLR mechanism at the same time (simultaneously).That is pre-install a 3rd party driver with malicious code embedded then load the software driver during operating system startup. The way similar antivirus product using API hooking allows the antivirus to see exactly what function is called.

- Loading drivers
- Starting new processes
- Process executable image
System DLL: ntdll.dll (2 different binaries for WoW64 processes)
- Runtime loaded PE images – import table, LoadLibrary, LoadLibraryEx[1], NtMapViewOfSection

Antivirus software may use SSDT hooking (System Service Dispatch Table hooking) on 32-bit operation.  On a 64-bit system, a KM (kernel module) driver can only be loaded if it has a digital signature. And therefore hacker could be focus on 32 bit OS instead of 64 bit.

How to run 32-bit applications on x64?

In order to maintain complete code separation, running 32-bit code on a 64-bit operating system design with a destinate folder named \Windows\SysWOW64 that is used to store the 32-bit DLLs to meet the design objective. Meanwhile the x64 version of Windows uses the \windows\system32 folder for 64-bit DLLs. Below diagram shown that the WOW64 emulator responsible for file system redirection for several key components of the Windows operating system.

To identify 32 bit and 64 bit environment changes depending on the registry key. For instance, the ‘rundll32’ is point to the specify registry (HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\CurrentVersion\Run).

Therefore it will execute the following command.


This is the 32-bit version program thus everything will be remapped accordingly (see below diagram for reference)

Above details shown the registry and file redirection mechanism to execute 32 bit application on 64 bit of operating system. It looks fine that application not possible to work with incorrect bits environment since it governance by registry. However a fundamental design architecture looks provide benefits to the hacker (see below diagram for reference):

Above diagram indicated that software device driver module allow 32-bit software driver go thought module (WOW64) communicate with 64-bit Kernel function. So it has possibility go through the software driver then compromise the system. From security point of view, the server or workstation Antivirus processes will keep track all DLL activities on directory (c:\windows\SysWoW64). So what is the malware next action?

Malware next action

A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring. A hacking technique so called Register load image callback (see below)


How to prevent PsSetLoadImageNotifyRoutine

Microsoft have solution available against register load image callback flaw. Developer can define a minifilter (FltGetFileNameInformationUnsafe) to confirm the routine returns name information for an open file or directory. And therefore it is the way to avoid the fundamental design limitation of API system Call mechanism (PsSetLoadImageNotifyRoutine).

But what is the causes for system developers not intend to use this preventive mechanism.

FltGetFileNameInformationUnsafe allocates it’s own memory for the structure. As a result it will encountered blue screen and system crash once 3rd party software driver not follow the SDLC (software development life cycle).

Alternative type of attack  (This time does not intend to discuss in detail)

A rootkit will create a hidden partition, at the end of the drive, 1 – 10 MB in size and set itself as the boot partition. Hence, the rootkit is already running before Windows loads. This hidden partition will not show up on Windows Disk Management in most cases.

Rootkit categories:

Operation feature

Persistent rootkit is one that is activated every time the system starts up.

Non-persistent rootkit is not capable of automatically running again after the system has been restarted.

Operation mode

User mode: this kind of rootkit hooks system calls and filters the information returned by the APIs (Application Programming Interface)

Kernel mode : these rootkits modify the kernel data structures, as well as they hook the kernel’s own APIs. It compromise the antivirus program at the same time. This is the most reliable and robust way of intercepting the system.


Even though your IT infrastructure install full scope of detective and preventive control facilities. The 3rd software driver will broken your security facilities. Perhaps you have SIEM and central log event management product however such malicious activities is hard to detect since it is running in Kernel (Ring 0).  So a standard policy on software usage is critical goal on today cyber technology world. Believe it or not, a 3rd party software driver embedded malicious code can break your great wall.








Security Alert ! Trap of wannacry – status update on 29th May 2017

Is it anti-tradition? IT folks, do you white list ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. Expert was told, the strange design of Wannacry will stop spread the ransomware to known subnet once he can get in touch with his C&C server. But do you think this is a trap? I speculated that ramsomware intend to create this trap fool the guy who think this is a solution and then can easy go to their internal network in 2nd phase. So the better idea is that do not input this domain into your whitelist. Cheers!

Information update on 18th May 2017

Recently Wana Decrypt0r 2.0 C&C server:

  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Wana Decrypt0r 2.0 modify the Windows Registry Editor and target the following sub-keys:

HKCU\Control Panel\Desktop\Wallpaper

Encryption algorithms:

  • AES (Advanced Encryption Standard) 128 –  cannot be decrypted the file until you receive the FEK (File Encryption Key). This key may be the only method to decrypt the files .

Structure of an Encrypted File

Rivers-Shamir-Adleman or RSA – Wanncry design objective intent to generate unique public and private keys for each of the files. This makes the decryption of each file separate and very difficult and unique process.


Attention: If no data backup on hand, it is hard to say pay the ransom is the solution. Since WanaCrypt0r .WNCRY contained extreme destroy concept and enforce to delete the shadow volume copies and eradicate all chances of reverting your files via backup on the infected computer (see below destroy scenario command syntax). The security concern is that it is hard to guarantee that it is virus free after hard disk encrypt on victim machine. As a matter of fact, WannCry via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware. No evident to proof that WannCrypt0r will remove his footprint after victim pay the ransom and therefore victim machine still vulnerable until execute a low level format of the hard disk and reinstall all the application. But it is hard to tell at this moment. Therefore it must be handle the data carefully after you pay the ransom.

The extreme destroy command syntax are shown as below:

  1. vssadmin delete shadows /all /quiet2.
  2. wmic shadowcopy delete

Remark: At user level below command can do in the following step: Go to Start Menu-All Programs-Accessories,then right-click Command Prompt and select Run As Administrator,because Administrative privileges are required to use BCDEdit to modify BCD

3. bcdedit /set boostatuspolicy ignoreallfailures
4. bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Hints and Resolution found on 19th May 2017

Hints that Windows 7, XP, Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2 instead of Windows 10 . The OS itself  keeps a copy of the two prime numbers that it provided to WannaCry in memory.  Those primes can be recovered. It is possible to relies on this feature to compute the encryption key and then used to decrypt all encrypted data. A tool make use of above criteria and might have way to decrypt your data. For more details, please refer to below url for reference.

If above hints can’t help and you would like to keep the encrypted data. You can do the following.

Backup all your files (00000000.eky and remaining files). May be in future, there is new resolution which provide the key decrypt your data.