New SMBv1 flaw SMBloris discovered

security researchers at RiskSense have identified a 20-year-old Windows SMB vulnerability they called SMBloris , they presented their findings at the recent DEF CON hacker conference.

It can remotely crash a Windows server with relative ease using only 20 lines of Python code and a Raspberry Pi.

The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000.

Like most DoS attacks, the target system is overwhelmed by multiple service requests rendering it unavailable. Most modern systems require coordination of a massive number of attacking systems to overwhelm the target, referred to as a Distributed Denial of Service (DDoS) attack.

It is called the attack SMBloris because it is comparable to Slowloris, a 2009 attack developed by Robert Hansen. Both attacks can use a single machine to crash or freeze a much more powerful server, but Slowloris, unlike SMBloris, targets webservers.

“Similar to Slowloris, it requires opening many connections to the server, but these are low-cost connections for the attacker, so a single machine is able to perform the attack,” Dillon,senior security researcher at RiskSense said.

Microsoft has announced that the SMBv1 bug described at DEF CON won’t be patched because it could be fixed simply blocking connections coming from the Internet.

“The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server”. explained RiskSense researchers Sean Dillon.

Attackers can trigger the SMBloris only if the target machine has SMBv1 exposed to the Internet, that’s why Microsoft argued that it is just a configuration issue.

NBSS is the NetBIOS Session Service protocol, every connection to it allocates 128 KB of memory that is freed when the connection is closed. The connection is closed after 30 seconds if no activity is performed.

With 65535 TCP ports available the attackers can fill up more than 8 GB, powering DDoS attack on both IPv4 and IPv6 it is possible to reach 16 GB. The volume could be doubled (32 GB) using two IPs, they can fill 32 GB.

The attack triggers the memory saturation for NBSS and it is necessary to reboot the server in order to restore a normal operation.

Advertisements

Google discovers & blocks a new Malware family-Lipizzan

Malware researchers at Google have spotted a new strain of Android spyware dubbed Lipizzan that could exfiltrate any kind of data from mobile devices and use them as surveillance tools.

The Lipizzan spyware is a project developed by Israeli startup Equus Technologies.

How does Lipizzan work?

According to the analysis published by Google:

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a “Backup” or “Cleaner” app. Upon installation, Lipizzan would download and load a second “license verification” stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)

The spyware is also able to collect data from specific apps, including WhatsApp, Snapchat, Viber, Telegram, Facebook Messenger, LinkedIn, Gmail, Skype, Hangouts, and KakaoTalk.

Google researchers have found at least 20 apps in Play Store which infected fewer than 100 Android smartphones in total, the company classified the infections as targeted attacks.

“We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.” states Google.

What can you do to protect yourself?

  • Ensure you are opted into Google Play Protect.
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep “unknown sources” disabled while not using it.
  • Keep your phone patched to the latest Android security update.

New Windows Backdoor CowerSnail Discovered

A new Windows Backdoor dubbed CowerSnail linked to the recently discovered SHELLBIND SambaCry Linux malware is discovered by the security researchers at Kaspersky lab.

SHELLBIND has infected most network-attached storage (NAS) appliances, it exploits the Samba vulnerability (also known as SambaCry and EternalRed) to upload a shared library to a writable share, and then cause the server to load that library.

This trick allows a remote attacker to execute arbitrary code on the targeted system.

SHELLBIND and the Backdoor.Win32.CowerSnail shares the command and control (C&C) server (cl.ezreal.space:20480).

Kaspersky states that “We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry. It was the common C&C server that both programs used – cl.ezreal.space:20480 – that suggested a relationship between them.”

CowerSnail first escalates the process priority and the current thread’s priority, then it starts communicating with its Command & Control server through the IRC protocol.

Unlike SambaCry, CowerSnail does not download cryptocurrency mining software by default, but instead provides a standard set of backdoor functions:

  • Receive update (LocalUpdate)
  • Execute any command (BatchCommand)
  • Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
  • Uninstall CowerSnail from service list (Uninstall)
  • Collect system information:
    • Timestamp
    • Installed OS type (e.g. Windows)
    • OS name
    • Host name
    • Information about network interfaces
    • ABI
    • Core processor architecture
    • Information about physical memory

170720-cowersnail-7

Conclusion

SambaCry was designed for *nix-based systems. CowerSnail, meanwhile, was written using Qt, which most probably means the author didn’t want to go into the details of WinAPI, and preferred to transfer the *nix code “as is”. This fact, along with the same C&C being used by both programs, strongly suggests that CowerSnail was created by the same group that created SambaCry. After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.

Multiple Vulnerabilities discovered in Nitro Pro PDF

The Beyond Security’s SecuriTeam has disclosed  multiple vulnerabilities in Nitro Pro PDF reported to them by two security researchers.

Nitro Pro is the PDF reader and editor that does everything you will ever need to do with PDF files. The powerful but snappy editor lets you change PDF documents with ease, and comes with a built-in OCR engine that can transform scanned documents into editable files. Fill up forms, annotate and sign them as part of your workflow, and easily merge multiple documents or delete selected pages as necessary.

The vulnerabilities found in Nitro PDF are:

  • Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
  • App.launchURL Command Execution
  • JPEG2000 npdf.dll Use-After-Free
  • Forms Parsing NPForms.npp Use-After-Free
  • File Parsing Count Field npdf.dll Memory Corruption
  • NewWindow Launch Action NPActions.npp Command
  • URI Action NPActions.npp Command Execution

Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
The Doc.saveAs function does not validate either the file extension, the content of the PDF or if the path contains traversals before saving it to disk.

An attacker can leverage this to write a malicious file to the operating system in any path. This alone can be used to achieve remote code execution by writing into the users startup folder.

App.launchURL Command Execution
The App.launchURL function allows an attacker to execute commands with the privileges of the currently running user. However, a security alert or warning is typically triggered when doing so.

This can be bypassed if a $ sign is used within the path. Note that if an attacker does this, they will execute the file from the current directory, which may not be ideal for exploitation.

JPEG2000 npdf.dll Use-After-Free
When parsing a malformed embedded JPEG2000 image into a PDF the process will destroy an object in memory, forcing a pointer to be reused after it has been free. The reuse functions are located in the npdf.dll.

A detailed explanation can also be found here for another vulnerabilty.

The vendor has released patches to address this vulnerability. The new version 11.0.5 has patched all the security vulnerabilities.

BAD TASTE GNOME Vulnerability leads to Code Injection in Linux

A new vulnerability(CVE-2017-11421) has been discovered by German security researcher Nils Dagsson Moskopp dubbed as BAD TASTE , which is a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines.

The POC has also been disclosed here.

“Thumbnail generation for MSI files in GNOME Files executes arbitrary VBScript.” states Moskopp.

The code injection vulnerability resides in “gnome-exe-thumbnailer” — a tool to generate thumbnails from Windows executable files (.exe/.msi/.dll/.lnk) for GNOME, which requires users to have Wine application(a free and open-source software that allows Windows applications to run on the Linux operating system) installed on their systems to open it.

while navigating to a directory containing the .msi file, GNOME Files takes the filename as an executable input and run it in order to create an image thumbnail.

For successful exploitation of the vulnerability, an attacker can send a crafted Windows installer (MSI) file with malicious VBScript code in its filename, which if downloaded on a vulnerable system would compromise the machine without further user interaction.

Create MSI Files

Create a file named poc.xml with the following content:

<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Version="1.0"/>
</Wix>

Execute the following Bourne Shell code:

wixl -o poc.msi poc.xml
cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"

Trigger Execution

Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.

“Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exethumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype.” explained the expert.

The expert highlighted that the problem is triggered due to the presence of just one line of code in /usr/bin/gnome-exe-thumbnailer:

DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \

“Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.” Dagsson Moskopp added. 

Remedy (for users)

Delete all files in /usr/share/thumbnailers. Do not use GNOME FilesCinnamon Nemo or Mate caja. Uninstall any other software that facilitates automatically executing parts of filenames as code.

Remedy (for developers)

Do not parse files with bug-ridden ad-hoc parsers. Fully recognize inputs before processing them. Do not use templates, use unparsers instead. Read about LANGSEC.