How to rescue yourself on this month. SMB flaw, apply to all windows platform

May 22, 2017 admin 171 Comments

Quote:

By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys

Blocking outbound SMB connections – TCP ports 139 and 445 along with UDP ports 137 and 138 – from the local network to the wide area network…..said US CERT

Reminder: Mrxsmb20.sys driver handles SMB 2.0 and SMB 3.0 traffic.

Windows OS design objective: In Windows 8, the SMB 3.0 protocol is supported. The Mrxsmb10.sys driver handles legacy SMB traffic, and the Mrxsmb20.sys driver handles SMB 2.0 and SMB 3.0 traffic.

Phenomenon: We have confirmed that without apply the patch on May those Windows 10 , Windows 8.1 client systems as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2 are all encountered SMB vulnerability. In the sense that it is vulnerable.

Current Situation 1: If you are windows OS home user (all windows OS platform), be aware and confirm apply below hot-fix to your home workstation.

https://technet.microsoft.com/en-us/library/security/ms17-012.aspx

Current Situation 2:If you are IT guy maintained whole bunch of MS windows server. You are the technical expert and believed that the hotfix you apply already. But I would like to bring your attention of on server SMB registry.

What’s the reason to point out the SMB registry. It is a quick way to isolate the problem once you suspect that you file server may encounter malicious attack. As a matter of fact, registry check is one of the fast path know what is happen in malware movement.

Regarding to the subject matter, our objective is going to discuss how to rescue yourself this month due to SMB flaw, right? I written an techincal article yesterday mainly highlight the SMB flaw. For more details, please find below url for reference.

Does SMB mess up the world? But he is sick always! …Wanacrypt0r, SMB worm,…etc

Any information update will keep posted. Thank you for your kind attention.

System

Does SMB mess up the world? But he is sick always! …Wanacrypt0r, SMB worm,…etc

May 20, 2017 admin 470 Comments

Preface:

Ransomware (#wanacrypt0r #wannacry #ransomware #wcry) outbreak since last Friday 12th May 2017 till this week. Believed that no room discuss here since you are easy to get the information update on internet. However SMB is our discussion topic today. As we know SMB ver 1 is the culprits of Wanacrypt. The side effect looks only affected outdated windows OS (2003,XP,Me and Vista) or recently end of support product (Windows 2008 instead of 2008 R2)! In the meantime, do you have issue to worry like myself on SMB version 2 and version 3?

SMB critical flaw historical background:

Vulnerability in Microsoft Windows SMB2 -_Smb2ValidateProviderCallback() flaw found 2009.

An attacker could exploit this flaw to disable the remote host or to execute arbitrary code on it.

Solution:

As a workaround, you can disable SMB2 by editing the registry.Under the hive HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters

Create the key ‘Smb2’ (of type REG_DWORD) and set it to ‘0’

On August 11, 2015 Microsoft released SMB Server fix on SMB (MS15-083 – Microsoft Windows SMB Memory Corruption Vulnerability). An authenticated remote code execution vulnerability exists in Windows that is caused when Server Message Block (SMB) improperly handles certain logging activities, resulting in memory corruption. A successful exploit could corrupt memory in such a way as to allow the attacker to execute arbitrary code. A successful exploit could result in a complete system compromise.

SMB architecture

The structure of the header is as follows:

SMB_Header
   {
   UCHAR  Protocol[4];
   UCHAR  Command;
   SMB_ERROR Status;
   UCHAR  Flags;
   USHORT Flags2;
   USHORT PIDHigh;
   UCHAR  SecurityFeatures[8];
   USHORT Reserved;
   USHORT TID;
   USHORT PIDLow;
   USHORT UID;
   USHORT MID;
   }

Why SMB always encounter vulnerabilities? Why old version of SMB need to stay on windows OS?

NSA surveillance tool kit named EternalBlue exploits a vulnerability on SMB. From my personal point of view, not surprise! Since no operation systems are prefect, right! But the earliest time SMB encountered flaw was back time to 2009. A flaw was found on Microsoft SRV.SYS Driver. The symptom exploit that a Remote Code Execution vulnerability in Microsoft SMB Servers (WriteAndX Invalid DataOffset).

Remark: Srv.sys is a Windows driver. A driver is a small software program that allows your computer to communicate with hardware or connected devices. This means that a driver has direct access to the internals of the operating system, hardware etc (see below picture for reference). Microsoft suggest that Srv.sys should be set to start on demand since it is only communicate with old fashion client such as windows XP.

Command: sc config srv start=demand

Regarding to security vendor Rapid 7 findings on 2009, Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table exploits an out of bounds function table dereference in the SMB.

Looks irritating, we are not going to post all the flaws. But I am interested that is there something get wrong from fundamental design causes such non stop vulnerability. As far as I know, all SMB family are easy to causes vulnerable. Even though SMB3! An official announcement by Microsoft highlight that transferring files by using SMB2 or SMB3 causes memory leak on a windows computer (see below url for reference). And then Microsoft issued a hotfix held on 2017.

https://support.microsoft.com/en-us/help/2928360/transferring-files-by-using-smb2-or-smb3-causes-memory-leak-on-a-windows-computer

Our Observation:

Take the latest reference as an example. See how the weakness of SMB. Yes, it is not a SMB2 or 3. Since SMB2 and SMB3 obtain their own design weakness on memory validation (see above description). OK, Let’s go. We start the journey.

Equation Group’s (NSA) wake up all the IT guys, attacker can easy initiate a Ring 0 attack relies on SMB. They took below action:

Determine x86 or x64
Confirm and locate the IDT(Interrupt Descriptor Table) from the KPCR( (Kernel) Processor Control Region).
Viewing Physical Memory Addresses in OllyDbg, Traverse backward from memory address. That means from end return to 1st interrupt handler to find ntoskrnl.exe base address.

If the beginning of the file does not begin with “MZ” or “ZM”, it is not an DOS or Windows executable image. Otherwise you may have one of the following types of executable formats: plain DOS, NE (Windows 16-bit), LE (16-bit VXD), PE32, or PE32+ (PE64).
Determine if you have a plain DOS executable by looking at the e_lfanew value. A plain DOS executable will have an out-of-range e_lfanew pointing outside of the limits of the file, a zero, or if the offset happens to be in range, the signature at its offset won’t match any signatures below.

Try to match the signature of the “in-range” offset pointed to by e_lfanew with the following WORD or DWORD values:

"PE" followed by two zero bytes if the image is a PE32 or PE32+ (PE64) and is further determined by the "magic" in the NT Optional Header
"NE" indicates the image is a 16-bit Windows executable
"LE" indicates the image is a 16-bit Virtual Device Driver (VXD)

5. Reads ntoskrnl.exe’s exports directory, and uses hashes to find ExAllocPool/ExFreePool/ZwQuerySystemInformation functions.

Remark: If you would like to call ZwQuerySystemInformation, a parameter need attach with the command. You must input buffer as size of SYSTEM_PROCESS_INFORMATION. And then checking the return value and return requied size. If the return is not success, you must make the second call with input buffer of requied size (i.e.size return from the first call).

6. Calls ZwQuerySystemInformation with the SystemQueryModuleInformation argument, which loads a list of all drivers. It uses this to locate Srv.sys, an SMB driver.

7. Switches the SrvTransactionNotImplemented() function pointer located at SrvTransaction2DispatchTable[14] to its own hook function.

Remark: Npp buffer + 0x100 directly written before the leak out of the function table

Above scenario happen SMB or SMB v1 only. But when we know SMB2 and SMB3 also found vulnerability on memory side. My research is on the way, my friend I will keep you posted if there is anything updating.

Uncategorized

Security Alert ! Trap of wannacry – status update on 29th May 2017

May 15, 2017 admin 164 Comments

Is it anti-tradition? IT folks, do you white list ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. Expert was told, the strange design of Wannacry will stop spread the ransomware to known subnet once he can get in touch with his C&C server. But do you think this is a trap? I speculated that ramsomware intend to create this trap fool the guy who think this is a solution and then can easy go to their internal network in 2nd phase. So the better idea is that do not input this domain into your whitelist. Cheers!

Information update on 18th May 2017

Recently Wana Decrypt0r 2.0 C&C server:

57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion

Wana Decrypt0r 2.0 modify the Windows Registry Editor and target the following sub-keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\WanaCrypt0r\
HKCU\Software\WanaCrypt0r\wd
HKCU\Control Panel\Desktop\Wallpaper

Encryption algorithms:

AES (Advanced Encryption Standard) 128 – cannot be decrypted the file until you receive the FEK (File Encryption Key). This key may be the only method to decrypt the files .

Structure of an Encrypted File

Rivers-Shamir-Adleman or RSA – Wanncry design objective intent to generate unique public and private keys for each of the files. This makes the decryption of each file separate and very difficult and unique process.

Observation:

Attention: If no data backup on hand, it is hard to say pay the ransom is the solution. Since WanaCrypt0r .WNCRY contained extreme destroy concept and enforce to delete the shadow volume copies and eradicate all chances of reverting your files via backup on the infected computer (see below destroy scenario command syntax). The security concern is that it is hard to guarantee that it is virus free after hard disk encrypt on victim machine. As a matter of fact, WannCry via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware. No evident to proof that WannCrypt0r will remove his footprint after victim pay the ransom and therefore victim machine still vulnerable until execute a low level format of the hard disk and reinstall all the application. But it is hard to tell at this moment. Therefore it must be handle the data carefully after you pay the ransom.

The extreme destroy command syntax are shown as below:

vssadmin delete shadows /all /quiet2.
wmic shadowcopy delete

Remark: At user level below command can do in the following step: Go to Start Menu-All Programs-Accessories,then right-click Command Prompt and select Run As Administrator,because Administrative privileges are required to use BCDEdit to modify BCD

3. bcdedit /set boostatuspolicy ignoreallfailures
4. bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Hints and Resolution found on 19th May 2017

Hints that Windows 7, XP, Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2 instead of Windows 10 . The OS itself keeps a copy of the two prime numbers that it provided to WannaCry in memory. Those primes can be recovered. It is possible to relies on this feature to compute the encryption key and then used to decrypt all encrypted data. A tool make use of above criteria and might have way to decrypt your data. For more details, please refer to below url for reference.

https://github.com/aguinet/wannakey

If above hints can’t help and you would like to keep the encrypted data. You can do the following.

Backup all your files (00000000.eky and remaining files). May be in future, there is new resolution which provide the key decrypt your data.

Blockchain

Part 3 : Blockchain technology – Trend benefits finance and crime

May 13, 2017 admin 206 Comments

Preface:

Take on public transportation today (11th May 2017), the headline news display on advertisement screen guide me start the discussion on block chain technology again. It looks a realistic situation intend to boots up block chain technology growth. Let’s take a quick seen!

As of 6 February 2016, there are 15.2 million bitcoins circulation of a capped total of 21 million.

Bitcoins current status: As of today 11th May 2017

Total volume: 1800 Billion of dollars
4 days exchange volume equal to 30 Billion of dollars

Block chain space Radical changes on 2017

In 2017 Microsoft announced their participation in the newly formed Enterprise Ethereum Alliance. Joining them are also companies such as Intel, J.P. Morgan, BNY Mellon, BP, ING, Thomson Reuters and blockchain startups. In general, my idea on key word “Ethereum” only focus on security incident. Sounds like that I am not suggest anyone to create Ethereum to let hackers get away your money.

Quote: “In general, the Ethereum community is on board with the notion that we do not have to do things exactly the way that things are done in other crypto communities,” -shortcut from Bloomberg Business week.

As a matter of fact, new technology has technical limitation not the 1st day we heard, but it has the mature model finally, right? So I am not keen to my stubborn to say not suggest to use. Perhaps a positive discussion might provide more positive idea in this regard.

High Level understand of Ethereum

Ethereum is an open-source, public, blockchain-based distributed computing platform featuring smart contract (scripting) functionality.

Platform‎: ‎x86, ARM

Initial release‎: ‎30 July 2015

Written in‎: ‎C++‎, ‎Go‎, ‎Rust

Operating system‎: ‎Clients available for Linux, ‎Windows‎, ‎macOS‎, ‎POSIX‎, ‎Raspbian

Technical weakness on security viewpoint

Programming language: C++

Security problems with C and C++ programs is hard to avoid the following issue:

buffer overflow attack
Integer problems in C/C++
File I/O risks
Temporary files / a C++ TOCTOU vulnerability
Unicode bug‎

Programming language: Go

How are blockchain application developed by “GO”. What is “Go”? “Go” is a free and open source created at Google in 2007 by Robert Griesemer, Rob Pike, and Ken Thompson . Like other programming language, this programming language contain their design limitation. The vulnerability found this year was shown that the “Go” SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.

Programming language: Rust

Rust is a general purpose programming language sponsored by Mozilla Research. It is designed to be a “safe, concurrent, practical language”, supporting functional and imperative-procedural paradigms. Rust is syntactically similar to C++, but is designed for better memory safety while maintaining performance. Rust only panics from integer overflow when in debug mode. So it looks that this programming languages suitable for developers build block chain system application.

Remark: Developer Analyst firm Redmonk charted Rust’s move on the Github rankings from 46 to 18.

Modern cyber technology crisis

Ransomware attack is the 1st priority of concern:

Ransomware (Wannacry) attack hits 99 countries with UK hospitals among targets yesterday. As we know the specifics attack are leveraging a Windows exploit harvested from the NSA called EternalBlue (MS17-010 – the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server). As a result it trigger the one to many attacks within the internal network. Since it relies on SMB so it spread out in extremely fast way. We are not going to discuss this incident today.

The reflections of this incident let us know the design weakness can kill the system within 1 minutes and broadcast the attack to neighbor. Be reminded that even though block chain or Ethereum technology network are built by group. It is a star topology network. A benefits for system and network resilience. However it increase the inherent risk.

Peer-to-peer communications between nodes running Ethereum clients run using the underlying ÐΞVp2p Wire Protocol. It is very secure. However if a trust client being compromised. From techincal point of view, hacker will more easy to infiltrate into it. Besides, the objective of ransomware target for ransom (money). If the victim workstation (Ethereum client) or mobile phone (Ethereum client) was compromised by ransom (whole hard drive encrypted). A high possibility to pay for the ransom otherwise he will lost more money.

Observation

As said, Ethereum deploy a high standard of secure protocol ( ÐΞVp2p Wire Protocol). However you can drill down in different area see whether can find out the design limitation. For instance a well known vulnerability. A Java Debug Wire Protocol remote code execution. The problem was that JDWP ( Java Debug Wire Protocol) is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server. Any impact here!

But my concern is on fast synchronization process. In the mean time I am still analysis what is the possibility to fool the remote peer on GetNodeData step. For more detail, please refer below specification.

Fast synchronization (PV63) specification:

GetNodeData [+0x0d, hash_0: B_32, hash_1: B_32, …] Require peer to return a NodeData message. Hint that useful values in it are those which correspond to given hashes.

NodeData [+0x0e, value_0: B, value_1: B, …] Provide a set of values which correspond to previously asked node data hashes from GetNodeData. Does not need to contain all; best effort is fine. If it contains none, then has no information for previous GetNodeData hashes.

GetReceipts [+0x0f, hash_0: B_32, hash_1: B_32, …] Require peer to return a Receipts message. Hint that useful values in it are those which correspond to blocks of the given hashes.

Receipts [+0x10, [receipt_0, receipt_1], …] Provide a set of receipts which correspond to previously asked in GetReceipts.

Summary:

Our discussion stop here today. I will provide more update in this regard. Thank you.

Reference:

Part 2:Blockchain technology situation – Malware join to bitcoin mining

Part 2:Blockchain technology situation – Malware join to bitcoin mining

Part 1:Blockchain technology situation – A Tales of Two Cities

http://www.antihackingonline.com/network-protocol-topology-standard/part-1blockchain-technology-situation-a-tales-of-two-cities/

Application Development, Network (Protocol, Topology & Standard)

Who spying on me? Da Vinci or Archimedes?

May 9, 2017 admin 285 Comments

Preface:

Archimedes’ principle is a law of physics fundamental to fluid mechanics.

Leonardo Da vinci is widely considered one of the most diversely talented individuals ever to have lived.

Since they are the famous scientists. They dedicate their inventions to the world. But we known the infamous tools in cyber world for the government surveillance program. The most famous eavesdropping feature type of malware. Those surveillance tools make use of similar naming convention. From general point of view, it looks that it is not respect of these two great scientists!

About Da vinci Spy tools

A powerful spy software developed by Italian hack team, the tool benefits to track a person’s calls and other communications in real-time. This tools only sell to law enforcement or government agent. Italian Hacking Team was hacked by other hacker group on 2015. More than 400GB of data, including source code, internal documents and emails that could reveal the identity of customers display on embedded torrent file share link. A rumors were told that Italian hack team blamed their customer unethical collect their technology and hack them.

About Archimedes tool

We all known tool used by the CIA named “Archimedes” open to the world through WikiLeaks on 5th May 2017. Archimedes developed by CIA engineering development Group. The project code so called UMBRAGE project. It is a interested project code name. The definition of Umbrage means offense; annoyance; displeasure: to feel umbrage at a social snub; to give umbrage to someone; to take umbrage at someone’s rudeness.

Technology

Da vinci Spy tool

Da vinci spy tool relies on JAR (Java ARchive) , Microsoft Office and Adobe Flash Player design limitation as a infection media to fulfill their remote control system (RCS) criteria (see below). A more advance technique of tool easy to fool the cyber defense mechanism since this is a unknown attack (zero day) and therefore it will be more easily to spread out the spyware fulfill their objective.

1. Self-signed JAR
2. CVE-2012-4167: Integer overflow in Adobe Flash Player
3. CVE-2010-3333: Stack-based buffer overflow in Microsoft Office
4. CVE-2012-5054: Integer overflow in the copyRawDataTo method in the Matrix3D class in Adobe Flash Player
5. CVE-2012-1682: Unspecified vulnerability in the Java Runtime Environment (JRE)
6. CVE-2013-0633: Buffer overflow in Adobe Flash Player

Archimedes

Archimedes is an update to Fulcrum 0.6.1. The design objective of Fulcrum. Fulcrum will direct a target machine’s HTTP client traffic to the URL of the attacker’s choice. The technique involves ARP Spoofing to Get In the Middle and HTTP Traffic Injection. The simple conceptual idea shown in below picture.

Archimedes (Fulcrum 0.6.2) focus windows OS with high flexibility. The attacker can execute Fulcrum as an EXE with Compiled Parameters. In order to avoid anti-virus program protection .The remote attacker can run as DLL with rundll32.exe with CommandLine Parameters. The tool itself is not sophisticated. Attacker can easy to get rid following files (f32.exe,f32.dll,fs32.exe,fs32.dll,f.cfg and f.log). The normal computer user do not know what is happen.

Capability and Flexibility

Da vinci Spy tool:

Capability: small footprint, unknown vulnerability (zero day)

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor

Archimedes :

Capability: small footprint, similar normal application program service daemon

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor

Similarity

Both spy tools (Da vinci & Archimedes (Fulcrum 0.6.2))are using inline hooking technique (see below).

However Archimedes (Fulcrum 0.6.2) looks develop infiltration technique from layer 2. For instance ARP cache poisoning. Both spy tools entry point (infiltration) looks have differences! Da vinci more focus on layer 7 (application) and Archimedes run on layer 2. Seems it is hard to proof the integrity of the rumors (Italian hack team blamed their customer unethical collect their technology and hack them). But it is not the absolute answer. Let’s keep our eye open on wiki-leaks to know more!

Reference:

https://wikileaks.org/vault7/#Archimedes

Uncategorized

Proof of idea! Who bear unredressed injustice APT activities in 2013.

May 2, 2017 admin 287 Comments

Wiki released confidential document on 28th April, 2017, the details is exposed how government enforcement agency (CIA) counterfeit Russian and Chinese cyber activities. We receive the basic understanding of the Scribbles . To be honest, it is common that when government agency take the criminal action. However of this confidential information exposed. My reflections drive me to review my former written articles on other discussion forum during 16th April 2016. I was question that engage the investigation on Advanced Persistence threat (APT) might mislead the direction of the result. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. The overall idea to me on this issue, I can do a scenario replay to assembly the story. Since this is only my speculation and imagination. As a matter of fact, it looks with high possibility. If you are interest, please go ahead to read more.

The story given out from my memories, it is talking about 4 years ago. The senior person (owner) of a consulting company email account was hacked. The security guru found that there is a Advanced Persistence threat (APT) activities given by China. A rumours were told that the people who found this so called Advanced Persistence threat (APT) is the anonymous group. This powerful under ground group found out this incident and intend to provides hints and finger print let the security consultant found out the truth. My personal opinion is that such incident might contained some shadow node. Also it is easy to counterfeit the attack. Today it looks that the secret information exposed by Wiki leak provides more possible factors. At the same time it make people queries the result in 2013. At least I am the one who question this result. Below is my speculation how CIA counterfeit the cyber activities let the APAC countries especially China bare unredressed injustice causes.

Latest WikiLeaks release shows how the CIA uses computer code to hide the origins of its hacking attacks and ‘disguise them as Russian or Chinese activity’

https://wikileaks.org/vault7/?marble#Marble

Recap my discussion details on 16th April 2016

An unauthorized person gains access to a network and stays there undetected for a long period of time. Cyber security terminology so called APT attack. APT style attack confused security experts. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. It is a sword. Careerist can blame another country that they are dishonest using internet. Who’s cast a unrighted wrong, believed that attached diagram can provide an idea to you in this regard.

System

Are 64-bit OS malware proof?

April 27, 2017 admin 36 Comments

Preface:

As we known, computer process direct work with Kernel (Ring 0) is quite dangerous. More realistic to say is that Real mode, also called real address mode, is an operating mode of all x86-compatible CPUs. Real mode provides no support for memory protection, multitasking, or code privilege levels. Windows 95 executes drivers and process switching in ring 0, while applications, including API DLL such as kernel32.dll and krnl386.exe are executed in ring 3.

We found trick on Windows 10. For instance, you are allow to run 16 bit application on 32 bit (Window 10) operating system. But not allow to run 16 bit application on 64 bit (Windows 10) OS.

Why? A processor limitation of 64 bit OS to execute (non-protected mode) 16-bit code. The 64-bit versions of Windows include 32-bit protected mode runtime libraries, but do not include any 16-bit protected mode runtime libraries. But how’s the mystery allow execute a Dos command prompt on 64-bit (Windows 10)OS? The Dos emulator make the magic.

The kernel of windows 10 is located at top of memory. The 64 bit OS of memory support 3.5GB RAM above, hacker have difficulties to find out the kernel process finger print in memory. Apart from that, the 64 bit operating system Kernel executable not direct reachable! Since it can’t communicate with kernel directly. Therefore a common criteria consensus 64 bits OS is malware proof.

Have you heard the weakness of superman? Kryptonite are able to reduce his power?

The origin story of Superman relates that he was born on the planet Krypton. Kryptonite is a radioactive mineral from Krypton. It was produced during explosion of Krypton. Kryptonite are able to reduce superman power. A similar scenario of 64 bit OS system. Since Kernel executable not reachable. However PAGE TABLE is loaded below 4GB. So it is possible to do the follow concept to unlock windows 10.

Viewing and Editing Registers in WinDbg

Solution: Self-ref entry technique

Reference: In 32 bits, this entry is usually located in the PAGE DIRECTORY, even with PAE enabled.
In 64 bits, this entry is located in the PML4

CPU CR3 register point to physical address (PA) of PML4
PML4(entry) point to PA of PDPT
PDPT(entry) point to PA of PD
PD(entry) point to PA of PT
PT contains Page Table Entries

As a result a re-used entry in the four paging levels, which means that this is used by the CPU as PML4 entry, PDPT entry, Page Directory entry and Page Table entry at the same time.

Busy this week, allow for me to complete the remaining part next week, Sorry!

IoT

IT cup noodles – fast step detect IoT devices on your network

April 20, 2017 admin 166 Comments

Preface:

The world has been changed. Modern people all unforgotable a key word on mouth. What’s is this? The word efficiency. No matter you wait for dinner, buy lunch, queue in cinema buy the ticket. We all looking for the final expectation is quick! Right? Since our standard life without computation is hard to survival. How about cyber security. The headlines news alerts you daily of cyber incidents. Whereby manufacturer and business man satisfy your expectation. For the food, we have ready to eat noodle. But how about the cyber security solution. Any Quick and done solution available in the market? Yes, it is available. Regarding to the subject matter, below solution is the quick and dirty solution to figure out the IoT devices inside your network! Sounds like a Japan food product (Cup Noodle). Be my guest. Enjoy!

Requirement:

As of today, firm install the SIEM product is the major component to compliance standard. No matter PCI, SOX & ISO 27001 compliance standard they are all require a central log management system. The technical term so all SIEM (Security information and event management). The SIEM system carry a major powerful feature so call correlation rule. The scenario is that SIEM system will identify and filter the specifics log event of the device on custom setup. Then provide a status update (send the notification email) alert on duty IT staff what is the current situation.

Since the function is ready. We can g to next step.

What is the theory?

As we know, the ethernet mac address contains vendor ID name field (see below diagram for reference) to determine the corresponding vendor. Since this vendor ID is unique and therefore we can make use of this vendor ID to figure out the target.

Criteria (specifications):

The SIEM system default function come with parser function to identify the MAC address of each device. Since most of the log event format are compliance to common standard. The most popular one of the standardization is the common event format (CEF).

The format called Common Event Format (CEF) can be readily adopted by vendors of both security and non-security devices. This format contains the most relevant event information, making it easy for event consumers to parse and use them.

Procedure:

Define rogue device detection on SIEM system. SIEM system is able to use the first few octets of a mac address to identify a rogue device. If so, then you could then use the vendor part of mac address to enforce your company IT policy. Avoid the IoT devices hide inside your network and reduce the insider threat. Below breakdown list is the vendor MAC address for your reference. Since my vendor ID on hand more than 100 pages and therefore not going to post here.

F8A45F	Xiaomi Communications Co Ltd
8CBEBE	Xiaomi Communications Co Ltd
640980	Xiaomi Communications Co Ltd
98FAE3	Xiaomi Communications Co Ltd
185936	Xiaomi Communications Co Ltd
9C99A0	Xiaomi Communications Co Ltd

84742A	zte corporation
BC3AEA	GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD
E8BBA8	GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD
8C0EE3	GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD
006B8E	Shanghai Feixun Communication Co.,Ltd.

C81479	Samsung Electronics Co.,Ltd
54FB58	WISEWARE, Lda
A42940	Shenzhen YOUHUA Technology Co., Ltd
B00594	Liteon Technology Corporation
C0A0BB	D-Link International
28A1EB	ETEK TECHNOLOGY (SHENZHEN) CO.,LTD
4CCBF5	zte corporation
F0F5AE	Adaptrum Inc.
F42896	SPECTO PAINEIS ELETRONICOS LTDA
5C36B8	TCL King Electrical Appliances (Huizhou) Ltd.
90F3B7	Kirisun Communications Co., Ltd.
DCAD9E	GreenPriz
B4827B	AKG Acoustics GmbH
3C18A0	Luxshare Precision Industry Co.,Ltd.
186472	Aruba Networks
4CB81C	SAM Electronics GmbH
2C3731	ShenZhen Yifang Digital Technology Co.,LTD
041A04	WaveIP
94E98C	Alcatel-Lucent
50206B	Emerson Climate Technologies Transportation Solutions
C8EE75	Pishion International Co. Ltd
CC3429	TP-LINK TECHNOLOGIES CO.,LTD.
1C7B21	Sony Mobile Communications AB
BC9680	Shenzhen Gongjin Electronics Co.,Ltd
9C2840	Discovery Technology,LTD..
F89FB8	YAZAKI Energy System Corporation
709E29	Sony Computer Entertainment Inc.
E0B2F1	FN-LINK TECHNOLOGY LIMITED
F037A1	Huike Electronics (SHENZHEN) CO., LTD.

Conclusion:

As said, this is a fast food solution. If the above solution not suitable to your shop. The better idea is that invite your SIEM vendor to develop the appropriate solution fit for your requirement. It is now reach my lunch hour. Ok, we are stop the discussion here.

Cup Noodle please!

Application Development, Network (Protocol, Topology & Standard), System

Conduct self assessment enhance your cyber security setup

April 19, 2017 admin 160 Comments

Preface:

Although your in house IT setup has SIEM, IDS, IPS, ..etc. But you may have questions? What is the defense criteria. Yes, we fully understand that install full scope of defense mechanism might mitigate the risk, right? Implement the IT strategic outsourcing. Enforce the follow the Sun policy. Deploy the management security service. But think it over, those defense mechanisms are involve human operation. Perhaps the SLA agreement of your services provider promises 99.99 % response time. But cyber security incident handling method far away with normal IT operation framework. For instance, engage the forensic investigation sometimes consume time to isolate the problem. As a matter of fact, SLA looks like a value. The quicker you receive email reply or return phone call did not imply it boots up the value of cyber incident management.

Objective:

Now we look back the cyber incident history. The security experts and security analysis Guru are summarized the key factors of the weakness of IT infrastructure today. No matter how was the size of your firm. Below key elements can guide you to the appropriate approach.

Weaknesses of IT domain – Key elements

Unauthenticated protocols
Outdated hardware
Weak user authentication
Weak file integrity checks
Vulnerable Windows operating systems
Undocumented third-party relationships

If your firm is able to compliance above 6 items of key elements. I was say congratulation to you. But for the realistic point of view, I believed that it is not easy to archive. For instance, you application development team is going to enhance the application. However the application integrate with a legacy product. Furthermore the legacy product is retired of their product life cycle. You know what is the weakness and the vulnerabilities. As a matter of fact, it is not possible to inform your management team suspend the project process since this is a business objective. Similar fashion of scenario you might encountered or familiar. Any idea or resolution to resolve such business habit forming manner. Since all the final decision will be decide by CSO, CIO or coporate management team. But at least following hints can give more space to you for thinking of this subject matter.

Definition:

Use a security controls matrix to justify controls and identify the weakness of the specifics area. The design goal is that take the benefit of matrix table for simplification terms. Thus provide a straight forward path which can apply to the key objective area. Since we all tech guy and no need to mention in depth. For more details, please see below:

Base on the 6 key elements of weakness in overall IT Infrastructure. Below assessment tool can provides an overall idea to you which area of weakness encountered in your shop.

authenticated protocols	Availability SSL or VPN (Ipsec)	Change control policy
Router (GUI access)	Yes(1)/No(0)	Yes(1)/No(0)
Switch (GUI access)	Yes(1)/No(0)	Yes(1)/No(0)
Firewall (GUI access)	Yes(1)/No(0)	Yes(1)/No(0)
Managed security service (GUI access)	Yes(1)/No(0)	Yes(1)/No(0)
Cloud Farm (GUI access)	Yes(1)/No(0)	Yes(1)/No(0)
Total score	Full score (5)	Full score (5)

Outdated Hardware	Still operate	In-House hardware lifecycle policy
Router (OS obsoleted)	Yes(0)/No(1)	Yes(1)/No(0)
Switch (OS obsoleted)	Yes(0)/No(1)	Yes(1)/No(0)
Firewall (OS obsoleted)	Yes(0)/No(1)	Yes(1)/No(0)
Sever (Vendor support – End of Life)	Yes(0)/No(1)	Yes(1)/No(0)
PABX (CTI server)	Yes(0)/No(1)	Yes(1)/No(0)
Total score	Full score (5)	Full score (5)

user authentication	ID asset management	Single sign-on feature
Router Logon access	Yes(1)/No(0)	Yes(0)/No(1)
Switch Logon access	Yes(1)/No(0)	Yes(0)/No(1)
Firewall Logon access	Yes(1)/No(0)	Yes(0)/No(1)
Privileges ID	Yes(1)/No(0)	Yes(0)/No(1)
Application program service ID	Yes(1)/No(0)	Yes(0)/No(1)
Total score	Full score (5)	Full Score (5)

File integrity check	Top Secret / Confidential Data	Data classification Policy
Server	Yes(1)/No(0)	Yes(1)/No(0)
Web Application (External)	Yes(1)/No(0)	Yes(1)/No(0)
Web Application (Internal)	Yes(1)/No(0)	Yes(1)/No(0)
Database (DB)	Yes(1)/No(0)	Yes(1)/No(0)
Cloud farm	Yes(1)/No(0)	Yes(1)/No(0)
Total score	Full score (5)	Full score (5)

Vulnerability management	Zero day & critical patch	Incident management procedure
Router	Yes(1)/No(0)	Yes(1)/No(0)
Switch	Yes(1)/No(0)	Yes(1)/No(0)
Firewall	Yes(1)/No(0)	Yes(1)/No(0)
Server	Yes(1)/No(0)	Yes(1)/No(0)
Application	Yes(1)/No(0)	Yes(1)/No(0)
Total score	Full score (5)	Full score (5)

3rd Party relationship	Responsibilities (scope of works and support level of cyber security incident)	Dedicated subject matter expert implement in this role
Management security services	Yes(1)/No(0)	Yes(1)/No(0)
Web Hosting	Yes(1)/No(0)	Yes(1)/No(0)
Application (Vendor service support token)	Yes(1)/No(0)	Yes(1)/No(0)
Hardware maintenance (services provider)	Yes(1)/No(0)	Yes(1)/No(0)
Network (MPLS, Frame-link, Internet line, Boardband..etc)	Yes(1)/No(0)	Yes(1)/No(0)
Total score	Full score (5)	Full score (5)

Achievement:

What is your over performance score on above matrix table? If it is not suitable to your environment. No problem, please go ahead to modify the criteria and try to fit to your project scope. Even though external auditor engage the risk assessment they are using the same idea. Good luck to all of you!

Application Development, Cell Phone (iPhone, Android, windows mobile), System

The silent of the Flash, Be aware of RTMFP protocol! He can exacerbate network attacks.

April 11, 2017 admin 272 Comments

Flash Player has a wide user base, and is a common format for games, animations, and graphical user interfaces (GUIs) embedded in web pages. However the trend of HTML 5 is going to replace his duty on market. Google stop running Flash display advertisement on Jan 2017. The e-newspaper (Digital journal) foreseen that the Adobe’s Flash expected to be dead and gone by 2018. However, the software vendor Adobe release Flash Player 25 on Mar 2017. Before the discussion starts, , lets go through the current market status of Flash player. Below picture show the current market position of Flash. It looks that a significant drop of the market share today.

Market position 2017

A question you may ask? If the market share of the product dropped, it is not necessary to discuss a low popularity product. But my concerns on Adobe Flash application still valid. The fact is that even though you are not going to use. However Flash Player installed on your machine have inherent risk. Ok, make it simple. Let jump to our main topic now. It is the real-time media flow protocol from Adobe.

What is the Real-Time Media Flow Protocol (RTMFP)?

The Real-Time Media Flow Protocol (RTMFP) is a communication protocol from Adobe that enables direct end user to end user peering communication between multiple instances of the Adobe® Flash® Player client and applications built using the Adobe AIR® framework for the delivery of rich, live, real-time communication.

The evolution of Adobe system design

The IETF technical articles issued on Dec 2014 has following security consideration.

Cryptographic aspects of RTMFP architecture:
RTMFP architecture does not define or use a Public Key Infrastructure (PKI). Clients should use static Diffie-Hellman keys in their certificates. Clients MUST create a new certificate with a distinct fingerprint for each new NetConnection. These constraints make client identities ephemeral but unable to be forged. A man-in-the-middle cannot successfully interpose itself in a connection to a target client addressed by its fingerprint/peer ID if the target client uses a static Diffie-Hellman public key.

Servers can have long-lived RTMFP instances, so they SHOULD use
ephemeral Diffie-Hellman public keys for forward secrecy. This
allows server peer IDs to be forged; however, clients do not connect
to servers by peer ID, so this is irrelevant.

For more details on above matter, please visit IETF techincal articles https://tools.ietf.org/html/rfc7425#page-46

Our observation today

Since RTMFP is based on UDP. UDP (User Datagram Protocol) connectionless state which decreased latency and overhead, and greater tolerance for dropped or missing packets. RTMFP supporting groups in Flash player support multicast feature. If hacker counterfeit a malicious swf format file and deploy with spear phishing hacking technique. Since it is a multicast structure and therefore it is hard to located the original source file.

2. CVE-2017-2997 exploits vulnerability in the Primetime TVSDK that supports customizing ad information. Successful exploitation could lead to arbitrary code execution. However a design weakness looks appear on TVSDK , an out-of-bound read vulnerability found by FireEye on May 2016.

3. Besides, The AVM (Action script virtual machine) implements certain core features of ActionScript, including garbage collection and exceptions, and also acts as a bridge between your code and Flash Player. The use-after-free memory feature in AVM is protect by OS system. Even though implement Address space layout randomization (ASLR) and Data Execution Prevention (DEP) but still have way by-pass by attacker. Windows 8.1 Update 3 Microsoft introduced a new exploit mitigation technology called Control Flow Guard (CFG). CFG injects a check before every indirect call in the code in order to verify if the destination address of that call is one of the locations identified as “safe” at compile time. However overwrite Guard CF Check Function Pointer with the address of a ret instruction will
let any address pass Guard CF Check Function, and thus bypass CFG.

Overall comments on above 3 items:

It looks that Flash contained fundamental design limitation, may be there are more hidden risks does not discover yet. As far as I know, law enforcement agency relies on Flash vulnerabilities to implement the surveillance program (Reference to vulnerability on 2012). My suggestion is that it is better uninstall the Flash on your web browser especially enterprise firm IT operation environment. Since Information security is a continuous program, so stay tuned, update will be coming soon!

Flash Architecture

Remark: out-of-bounds definition – This typically occurs when the pointer or its index is incremented or decremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in corruption of sensitive information, a crash, or code execution among other things.

Application platform – Language C and C++

The chronology of attack

2012: The malicious documents contain an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it. Symantec detects this payload as Trojan.Pasam. The malicious files we have observed so far are contacting servers hosted in China, Korea, and the United States to acquire the necessary data to complete the exploitation. This attack is targeting Adobe Flash Player on Internet Explorer for Windows only.

2015: SWF file is used to inject an invisible, malicious iFrame

2017: (CVE-2017-2997, CVE-2017-2998,CVE-2017-2999,CVE-2017-3000,CVE-2017-3001,CVE-2017-3002 & CVE-2017-3003)

A buffer overflow vulnerability that could lead to code execution (CVE-2017-2997).
Memory corruption vulnerabilities that could lead to code execution (CVE-2017-2998, CVE-2017-2999).
Random number generator vulnerability used for constant blinding that could lead to information disclosure (CVE-2017-3000).
unpatch vulnerabilities lead to code execution (CVE-2017-3001, CVE-2017-3002, CVE-2017-3003)