- Exploit -

Last update 28.09.2017 14:51:09

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 



Nethammer – Exploiting Rowhammer attack through network without a single attacker-controlled line of code
18.5.2018 securityaffairs
Exploit

Nethammer attack technique is the first truly remote Rowhammer attack that doesn’t require a single attacker-controlled line of code on the targeted system.
A few days ago security experts announced the first network-based remote Rowhammer attack, dubbed Throwhammer. The attack exploits a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.

Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.

Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sandbox.

A separate group of security researchers has now demonstrated another network-based remote Rowhammer attack dubbed Nethammert, that leverages uncached memory or flush instruction while processing the network requests.

“Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer” reads the research paper published by the experts.

The research team was composed of academics from the Graz University of Technology, the University of Michigan and Univ Rennes.

The Nethammer technique can be exploited by attackers to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing.

The attack is feasible only with a fast network connection between the attacker and victim.
“We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios.” continues the paper.
“Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service.”

This process results in a high number of memory accesses to the same set of memory locations, which could induce disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.
Nethammer attack
Data corruption resulting from the operations can be exploited by the attackers to gain control over the victim’s system.

“To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache.” continues the attacker.
“An attacker can use the unprivileged clflush instruction to invalidate the cache line or use uncached memory if available.”

The experts highlighted that caching makes the attack more difficult, so they devised some techniques to bypass the cache and direct access to the DRAM to cause the interference.

The experts successfully demonstrated three different cache bypasses for Nethammer technique:

A kernel driver that flushes (and reloads) an address whenever a packet is received.
Intel Xeon CPUs with Intel CAT for fast cache eviction
Uncached memory on an ARM-based mobile device.
The experts observed a bit flip every 350 ms demonstrating that it is possible to hammer over the network if at least two memory accesses are served from main memory, they successfully induced the interference by sending a stream of UDP packets with up to 500 Mbit/s to the target system.

The Nethammer attack technique does not require any attack code differently from the original Rowhammer attack.

Unfortunately, any attack technique based on the Rowhammer attack is not possible to mitigate with software patched, to solve the issues, it is necessary to re-design the architecture of the flawed components, meantime threat actors can start exploiting the Rowhammer technique in the wild.

Further details on the Rowhammer attack are reported in my post titled “The Rowhammer: the Evolution of a Dangerous Attack”


Exploiting People Instead of Software: Report Shows Attacker Love for Human Interaction
16.5.2018 securityweek 
Exploit

Cybercriminals Continue to Rely on Human Interaction to Conduct Wide Range of Attacks

Cybercriminals have been scaling up people-centered threats, increasingly using social engineering rather than automated exploits even in web attacks, a recent report from Proofpoint report reveals.

Humans have been long said to be the best exploits in the eyes of cybecriminals, with social engineering becoming the most used attack method years back, when almost all attached documents and URLs in malicious emails required human interaction.

Now, Proofpoint’s The Human Factor 2018 report (PDF) reveals that both cybercriminals and threat actors have found new ways to trick victims into becoming their unwitting accomplices. Email remained the most popular attack vector, while the rise of crypto-currency drove innovations in phishing and cybercrime.

Proofpoint saw attacks that include both large, multimillion-message malicious campaigns distributing malware such as ransomware (the biggest email-borne threat of 2017) and highly targeted assaults orchestrated by state-sponsored groups and financially motivated fraudsters.

“Whether they are broad-based or targeted; whether delivered via email, social media, the web, cloud apps, or other vectors; whether they are motivated by financial gain or national interests, the social engineering tactics used in these attacks work time and time again. Victims clicked malicious links, downloaded unsafe files, installed malware, transferred funds, and disclosed sensitive information at scale,” Proofpoint notes.

Last year, suspiciously registered domains of large enterprises outnumbered brand-registered domains 20 to 1, according to the report. Furthermore, 95% of observed web-based attacks used social engineering to trick users into installing malware, 55% of social media attacks impersonating customer-support accounts targeted customers of financial services companies, and 35% of social media scams using links took users to video streaming and movie download sites.

Dropbox phishing was the top lure for phishing attacks, but click rates for Docusign lures were the highest. Network traffic of coin mining bots jumped almost 90% between September and November, while ransomware and banking Trojans accounted for more than 82% of all malicious email messages. Although used often in email campaigns, Microsoft Office exploits usually came in short bursts.

The largest numbers of email fraud attacks hit education, management consulting, entertainment, and media firms, while construction, manufacturing, and technology were the most phished industries. Manufacturing, healthcare, and technology firms were targeted the most by crimeware.

Although ransomware predominated worldwide, banking Trojans were highly popular in Europe and Japan, accounting for 36% and 37% of all malicious mail in those regions, respectively.

Proofpoint has examined hundreds of thousands of SaaS accounts during risk assessments conducted across industries and says that around 1% of all cloud service credentials have been leaked. Furthermore, the security firm discovered that 25% of all suspicious login attempts to cloud services were successful (24% of all logins to cloud services were suspicious).

Attackers are increasingly using cloud services that users are accustomed to receive email notifications from to send malicious messages and host malware. While no major cloud services avoided abuse, services such as G Suite and Evernote were used to send phishing emails and malware.

“Most cloud platforms are extensible. Third-party add-ons open up new features, but they also create possibilities for abuse. We found a vulnerability in Google Apps Script, for example, that allowed attackers to send malware through legitimate emails that came from G Suite accounts,” the security researchers report.

Looking at how people behave in response to these threats, Proofpoint discovered that North American employees tended to click at the beginning of the work day, at lunch, and the end of the work day. South America followed a similar pattern, but Australian employees were more likely to click in the morning.

Half of all clicks (52%), however occurred within one hour of the message being delivered, with 11% of recipients clicking on the malicious URL within the first minute and a quarter within 5 minutes.

Usually focused on high-profile targets, state-sponsored attackers and established cyber criminals switched to targeting smaller targets in 2017.

The North Korea- affiliated Lazarus Group launched multistage attacks against individuals and point-of-sale (POS) infrastructure to steal cryptocurrency and consumer credit card data. The financially-motivated FIN7 started targeting individuals within restaurant chains using a new backdoor and malicious macros.

The Cobalt Group used new malware and document exploits in attacks against financial institutions and used anti-sandbox features to make detection more difficult.

The security firm also observed cryptocurrency phishing campaigns and identified sophisticated phishing templates targeting wallets and exchanges, including one attack that used malicious Office documents to install a banking Trojan. As of January, the researchers discovered over 100,000 Bitcoin-related domains, some supposedly registered for nefarious purposes.

“Social engineering is at the heart of most attacks today. It can come through something as simple as a bogus invoice lure in a multimillion message malicious spam campaign. It may appear as an intricate fake chain of emails and out-of-band communications in email fraud. Even web-based attacks—which once depended almost exclusively on exploit kits and drive-by downloads—are now built around social engineering templates. People willingly download bogus software updates or fake anti-malware software,” Proofpoint notes.


Wannacry outbreak anniversary: the EternalBlue exploit even more popular now
13.5.2018 securityaffairs
Ransomware  Exploit

WannaCry ransomware outbreak anniversary – According to researchers from ESET, the popularity of EternalBlue increase significantly over the past months.
Exactly one year ago, on May 12, the WannaCry ransomware infected hundreds of thousands of computers worldwide.

The success of the malware was the use of the EternalBlue exploit that was stolen by Shadow Brokers from the arsenal of the US National Security Agency along with a large cache of tools and exploits.

The group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.

Some of the codenames for the hacking tools in the dump are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.

The tools work against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.

In March 2017, a month before EternalBlue was released by Shadow Brokers, Microsoft released the MS17-010 security bulletin containing patches for SMB exploits including EternalBlue.

Just after the leakage online of ETERNALBLUE, security experts started observing a significant increase in the number of malware and hacking tools leveraging the NSA exploit to implement a self-spreading mechanism. Investigations on WannaCry revealed that at least other 3 different groups have been leveraging the NSA EternalBlue exploit.

A few weeks prior to the Wannacry ransomware outbreak, EternalBlue was used by the Adylkuzz botnet for mining activities and by the UIWIX ransomware family.

EternalBlue targets a vulnerability in Windows’ Server Message Block (SMB) on port 445, it only works against older operating system versions, mainly Windows XP and Windows 7.

EternalBlue was later used by other malware, including NotPetya and Bad Rabbit.

According to researchers from ESET, the popularity of EternalBlue increase significantly over the past months.

“And as ESET’s telemetry data shows, its popularity has been growing over the past few months and a recent spike even surpassed the greatest peaks from 2017.” reads the analysis published by ESET.

“EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign: over the following months, attempts to use the EternalBlue exploit dropped to “only” hundreds of detections daily. Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.”

EternalBlue 2017-May2018-2

Experts noticed a significant increase in the use of EternalBlue since September 2017 and reached a peak in mid-April 2018, experts believe that a Satan ransomware campaign observed in April contributed to the rapid spike.

“This exploit and all the attacks it has enabled so far highlight the importance of timely patching as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool,” continues ESET.

To mitigate the threat, disable SMBv1 and do not expose to the internet SMBv2, unfortunately currently millions of devices with SMBv1 are still exposed online most of them in the UAE, US, Russia, Taiwan, and Japan.

☠️ Nate Warfield 💀
@dk_effect
Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows 🤦‍♂️🤦‍♂️

4:49 PM - May 11, 2018
23
See ☠️ Nate Warfield 💀's other Tweets


One Year After WannaCry Outbreak, EternalBlue Exploit Still a Threat
12.5.2018 securityweek
Exploit

One year after the WannaCry ransomware outbreak, the NSA-linked exploit used for propagation is still threatening unpatched and unprotected systems, security researchers say.

The WannaCry infection started on May 12, 2017, disrupting Spanish businesses and dozens of hospitals in the U.K. The malware hit Windows 7 the most and was estimated to have infected nearly half a million computers and other types of devices within 10 days.

The largest number of machines was hit in the first hours of the outbreak, before a security researcher discovered a kill-switch and slowed the spreading to a near stop.

“WannaCry served as a cybersecurity wake-up call for many organizations that were falling behind in their routine IT responsibilities,” Ken Spinner, VP of Field Engineering, Varonis, told SecurityWeek in an emailed comment.

“While WannaCry tore through organizations like the NHS, companies that kept their systems updated with the latest patches, performed backups and took proactive security measures emerged unscathed,” Spinner continued.

WannaCry was able to spread fast because it abused an exploit supposedly stolen from the National Security Agency-linked Equation Group. Called EternalBlue, the exploit was made public in April 2017, one month after Microsoft released a patch for it.

EternalBlue is targeting a vulnerability in Windows’ Server Message Block (SMB) on port 445, but only older operating system versions (mainly Windows XP and Windows 7) are impacted.

Although it brought the exploit to the spotlight, WannaCry wasn’t the first malware to abuse it. During the weeks prior to the outbreak, EternalBlue was leveraged by a crypto-currency mining botnet and a backdoor. A ransomware family called UIWIX was also observed abusing it around the same period.

Despite Microsoft releasing a couple of patches for the security flaw targeted by EternalBlue, including an emergency patch for unsupported systems, tens of thousands of systems continued to be vulnerable last summer.

WannaCry, which was supposedly the work of North Korean actors, managed to wreak havoc a year ago, but it died fast. EternalBlue, on the other hand, remained strong, and was also abused in the global NotPetya attack last year.

In fact, security researchers say that the NSA-linked exploit is currently more popular among cybercriminals than it was a year ago.

Overall, more than 2 million users were observed being hit via the exploit from May 2017 to May 2018, Moscow-based security firm Kaspersky Lab told SecurityWeek.

The number of unique users hit by EternalBlue was 10 times higher in April 2018 compared to May 2017, with an average of more than 240,000 users being attacked via this exploit every month, the security firm also said.

“The fact that hackers keep targeting users using the EternalBlue exploit in their attacks means that many systems remain unpatched, which could lead to some dangerous consequences. It’s still highly important for organizations to take a close look at the security of their networks. Their first priority should be to install all necessary patches on time, in order to avoid losses in the future,” said Anton Ivanov, lead malware analyst, Kaspersky Lab.

According to ESET, not only did the popularity of EternalBlue increase significantly over the past months, but a “recent spike even surpassed the greatest peaks from 2017.”

Following a calmer period after the WannaCry attack, when only hundreds of detections were observed daily, the use of EternalBlue started picking up pace in September last year and reached new heights in mid-April 2018.

A Satan ransomware campaign observed last month likely contributed to the latest spike, but the exploit might have been used in other malicious activities as well, the researchers say.

“This exploit and all the attacks it has enabled so far highlight the importance of timely patching as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool,” ESET points out.

The main reason EternalBlue’s usage is spiking is the existence of millions of vulnerable devices that continue to be exposed to the Internet, as Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, told SecurityWeek.

“Immediately after the WannaCry epidemic last year, most security researchers advised people to disable SMBv1 entirely and make sure SMBv2 was not exposed to the internet. One year later and we are still seeing about 2.3M devices with SMBv1 exposed to the internet, with the majority of these vulnerable machines in the UAE, US, Russia, Taiwan and Japan,” Hahad said.

"The same mitigation techniques that have been recommended over and over again are still relevant and effective to minimize the impacts of a ransomware attack, but it comes down to actually implementing them,” Hahad continued.


Russia-linked Hackers Exploit Lojack Recovery Tool in Attacks
7.5.2018 securityweek APT 
Exploit  CyberSpy

Recently discovered “Lojack” agents containing malicious command and control (C&C) servers point to the Russian cyber-espionage group Sofacy, according to NETSCOUT Arbor.

Previously known as Computrace, Lojack is a legitimate laptop recovery solution used by companies looking to protect assets should they be lost or stolen. It can be used to locate and lock devices remotely, as well as to delete files.

Lojack represents a great double-agent because it is usually considered legitimate software but also allows for remote code execution, NETSCOUT Arbor's Security Engineering and Research Team (ASERT) points out. Moreover, the tool can survive hard drive replacements and operating system re-imaging.

Many of the anti-virus vendors in VirusTotal don’t flag the Lojack executable as malicious, but rather consider it as “not-a-virus” or “Risk Tool.” Additionally, with binary modification of the “small agent” considered trivial, it’s clear that attackers would consider the tool a viable target.

“With low AV detection, the attacker now has an executable hiding in plain sight, a double-agent. The attacker simply needs to stand up a rogue C&C server that simulates the Lojack communication protocols. Finally, Lojack’s ‘small agent’ allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C&C server,” ASERT notes.

The ASERT security researchers observed five Lojack agents that were pointing to four different suspected domains, three of which have been tied to Sofacy.

Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the threat actor is believed to have targeted the 2016 U.S. presidential election, as well as Ukraine and NATO countries. In fact, the group heavily targeted NATO in early 2017, including with zero-day exploits. The group was also observed shifting focus towards the Middle East and Central Asia last year.

In March 2018, a security researcher revealed that Sofacy attacks overlap with other state-sponsored operations, after the group’s Zerbrocy malware was found on machines compromised by Mosquito, a backdoor associated with the Turla threat actor.

“ASERT assesses with moderate confidence that the rogue Lojack agents are attributed to Fancy Bear based on shared infrastructure with previous operations,” the security researchers say.

Only the presence of a rogue C&C makes the samples malicious, as attackers are merely hijacking the communication used by Lojack, the researchers say. Several of the domains extracted from the rogue agents trace back to Sofacy operations: elaxo[.]org, ikmtrust[.]com, and lxwo[.]org (tied to the group last year), and sysanalyticweb[.]com (spotted only recently).

Although the hijack of the software for malicious purposes is a publicly known tactic, similarities in the binary comparisons and infrastructure analysis increase the possibility that the same actor was behind them.

The domains are associated with the same Lojack agent utilizing the same compile time, contain nonsensical Registrant information (the same information found in multiple fields), a similar nonsensical word used in the Registrant Name field is also used for the Registrant Organization (the field is often skipped, but this actor regularly utilizes both fields).

“Hijacking legitimate software is a common enough tactic for malicious actors. What makes this activity so devious is the binaries hijacked being labeled as legitimate or simple ‘Risk Tool’, rather than malware. As a result, rogue Lojack samples fly under the radar and give attackers a stealthy backdoor into victim systems,” ASERT concludes.


MassMiner Attacks Web Servers With Multiple Exploits
4.5.2018 securityweek 
Exploit  Vulnerebility

A recently discovered crypto-currency mining malware family is using multiple exploits in an attempt to increase its chances of successfully compromising web servers, AlienVault has discovered.

Dubbed MassMiner, the malware includes a fork of internet scanning tool MassScan, which in this case passes a list of private and public IP ranges to scan during execution. After compromising a target, the malware first attempts to spread to other hosts on the local network, and then attempts propagation over the Internet.

AlienVault observed multiple versions of MassMiner and says the malware continues to spread. The security firm identified compromised systems in Asia, Latin America, and Europe, but hasn’t established yet the full extent of the infection.

After leveraging MassScan for reconnaissance, the malware attempts to exploit vulnerable systems using the CVE-2017-10271 WebServer Exploit, the CVE-2017-0143 NSA-linked SMB Exploit (EternalBlue, used to install DoublePulsar), and the CVE-2017-5638 Apache Struts Exploit. It also attempts to brute force Microsoft SQL Servers using SQLck.

Once a Microsoft SQL server has been compromised, a script that installs MassMiner is executed, followed by a 1000+ line SQL script that disables important security features on the server, such as anti-virus protections.

On the Weblogic servers, the MassMiner malware is downloaded using a PowerShell script, and a VisualBasic script deploys the malware onto Apache Struts servers.

After being deployed, the malware achieves persistence, schedules tasks to execute its components, modifies access control list (ACL) to grant full access to certain files in the system, and kills the Windows Firewall.

MassMiner downloads a configuration file from a remote server. This file contains information on the server to download updates from, the executable to infect other machines with, and the Monero wallet and mining pool to send mined currency to.

“However, if the http request for the config file is never responded, the malware is capable of successfully running the Miner with its default configuration,” Alien Vault notes.

In addition to the crypto-miner, the malware also attempts to install the classic Gh0st backdoor onto the infected machines. This suggests that the malware operators might be setting up for further attacks, the same as the recently detailed PyRoMine malware did.

AlienVault has identified two Monero wallets belonging to the MassMiner operators.


PyRoMine Crypto-Miner Spreads via NSA-Linked Exploit
30.4.2018 securityweek
Exploit

A remote code execution exploit supposedly stolen from the National Security Agency-linked Equation Group is currently being used by a new crypto-currency miner to spread to vulnerable Windows machines.

Dubbed PyRoMine, this Python-based program is mining for the Monero (XMR) crypto-currency, the same as many malware families out there do. Unlike most of them, however, it uses the NSA-linked EternalRomance exploit for propagation purposes, Fortinet’s Jasper Manuel says.

EternalRomance is one of the exploits the ShadowBrokers made public in April last year, one month after Microsoft released patches for them. Late last year, the exploit was leveraged in the global Bad Rabbit ransomware attack.

Earlier this year, EternalRomance and two other similar exploits (namely EternalSynergy and EternalChampion) were ported to the Metasploit Framework, meaning they could all be used to target all Windows versions since Windows 2000.

PyRoMine, which is distributed as a ZIP file containing an executable compiled with PyInstaller (a tool that packages Python programs into stand-alone executables), uses a modified version of the EternalRomance implementation found on the exploit database website.

“Once executed, the malware gets the local IP addresses to find the local subnet(s), then iterates through all the IPs of these subnets to execute the payload,” Manuel reveals.

The exploit requires authentication, but it can offer system privileges even for a Guest account. In this implementation, it checks if the type is not “Anonymous” and attempts to login using the hardcoded credentials Default/P@ssw0rdf0rme to execute the payload.

“If unsuccessful, it then just tries to login as anonymous with an empty username and password. Since ‘internal’ is not ‘Anonymous’, it attempts to log-in with the said hardcoded credential, and then with empty username and password if not successful,” the researcher explains.

The malware also includes a list of credentials, but they remain unused in the analyzed version. The use of the Default/P@ssw0rdf0rme login pair decreases chances of successful compromise, as they aren’t normally used. However, chances are that the malware is setting up the stage for re-infection or other future attacks, Manuel points out.

After compromise, the exploit payload downloads a VBScript responsible for fetching and executing the miner on the system. The VBS uses the aforementioned username/password pair to add an admin account to the system, enables Remote Desktop Protocol (RDP), and adds a firewall rule to allow traffic on RDP port 3389.

The VBScript file also stops the Windows Update Service, starts the Remote Access Connection Manager, and configures Windows Remote Management Service for basic authentication and for the transfer of unencrypted data, thus opening the machine for possible future attacks.

The VBS also downloads the miner file (the XMRig application that is registered as a service named SmbAgentService by the file svchost.exe) and several other files designed to act as watchdogs or to stop/disable/delete services, kill processes, and delete users and files.

First observed this month, the malware appears to have already produced at least 2.4 Monero (around $650) for the attackers, based on the wallet in the analyzed sample. The researchers, however, can’t say for sure how much profit the threat actor may have made overall.

PyRoMine is not the first crypto-miner to use the NSA exploits to spread (WannaMine did the same), but it clearly represents a real threat, considering the manner in which it opens the infected systems to further compromise. All unpatched Windows systems remain vulnerable to this and similar attacks.

“I think is going to be something that we see MUCH more of in the future as the tools that are being deployed are multi-faceted. In this case, it’s not only mining and disabling security services. It’s also adding itself into several account types, opening up RDP (3389) and basically laying the welcome mat out for future attacks,” Chris Roberts, chief security architect at Acalvio, told SecurityWeek.

“Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time. And, this all comes in a nice, neat package using the simple issue that we (the human) haven’t patched or don’t pay attention to what we are downloading/clicking. Once again, we are the attack vector and the computer suffers,” Roberts added.

The NSA exploits have been abused in previous campaigns as well, including NotPetya and WannaCry ransomware, along with the Adylkuzz crypto-miner and the Retefe banking Trojan. What the Smominru botnet, WannaMine, and now PyRoMine reveal is a trend toward crypto-mining.

“It was expected that attackers would replace ransomware with crypto mining as the most popular form of opportunistic attack. We can see that many people simply are not paying ransoms, like in the recent case of the Atlanta state government,” Chris Morales, head of security analytics at San Jose, California-based Vectra, told SecurityWeek in an emailed commentary.


Expert devised a exploit for a Code Execution vulnerability in NVIDIA Tegra Chipsets
25.4.2018 securityaffairs
Exploit

Security researchers Kate Temkin discovered a vulnerability in the NVIDIA Tegra chipsets that could be exploited for the execution of custom code on locked-down devices.
The expert devised an exploit, dubbed Fusée Gelée, that leverages a coldboot vulnerability to gain full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM).

The exploitation of the flaw could allow compromising of the entire root-of-trust for each processor that results in the exfiltration of sensitive data.

“As this vulnerability allows arbitrary code execution on the Boot and Power
Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e.g. burned into device fuses” reads a technical paper on the flaw.

The USB software stack implemented in the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by the attacker.

An attacker can use a specially crafted USB control request that transfer the contents of a buffer controlled by the attacker to the active execution stack, gaining control of BPMP. The flaw requires physical access to the affected hardware, the expert highlighted that the flaw in the Tegra chipset is independent of the software stack.

“This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) “application processors” at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3). ” continues the paper.

According to the researcher, the affected component cannot be patched, the issue affects a large number of devices, including Nintendo Switch console.

“The relevant vulnerability is the result of a ‘coding mistake’ in the read-only bootrom found in most Tegra devices. This bootrom can have minor patches made to it in the factory (‘ipatches‘), but cannot be patched once a device has left the factory.” wrote Temkin.

Temkin ethically reported the issue to NVIDIA and Nintendo and did not accepted a reward for the discovery.

Temkin currently works at the hacking project ReSwitched, the team designing a customized Switch firmware called Atmosphère that leverages the Fusée Gelée exploit.

NVIDIA Tegra nintendo switch

The flaw affects all NVIDIA Tegra SoCs released prior to the T186 / X2.

The expert plans to release technical details of the flaw on June 15, 2018, but it is likely that other actors are also in possession of the Fusée Gelée exploit.

Is it true there are disadvantages to Fusée Gelée?

“Fusée Gelée isn’t a perfect, ‘holy grail’ exploit– though in some cases it can be pretty damned close. The different variants of Fusée Gelée will each come with their own advantages and disadvantages. We’ll work to make sure you have enough information to decide which version is right for you around when we release Fusée Gelée to the public, so you can decide how to move forward,” concluded Temkin.

Let me suggest reading the FAQ published by the expert for further info on the vulnerability.


Hackers Have Started Exploiting Drupal RCE Exploit Released Yesterday
15.4.2018 thehackernews
Exploit

Hackers have started exploiting a recently disclosed critical vulnerability in Drupal shortly after the public release of working exploit code.
Two weeks ago, Drupal security team discovered a highly critical remote code execution vulnerability, dubbed Drupalgeddon2, in its content management system software that could allow attackers to completely take over vulnerable websites.


To address this vulnerability the company immediately released updated versions of Drupal CMS without releasing any technical details of the vulnerability, giving more than a million sites enough time to patch the issue.
Two days ago, security researchers at Check Point and Dofinity published complete technical details about this vulnerability (CVE-2018-7600), using which, a Russian security researcher published a proof-of-concept (PoC) exploit code for Drupalgeddon2 on GitHub.
The Drupalgeddon2 vulnerability that affects all versions of Drupal from 6 to 8 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations.

According to checkpoint's disclosure, the vulnerability exists due to the insufficient sanitation of inputs passed via Form API (FAPI) AJAX requests.
"As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication," Check Point researchers said.
"By exploiting this vulnerability, an attacker would have been able to carry out a full site takeover of any Drupal customer."


However, shortly after the public release of the PoC exploit, which many confirmed to be functional, researchers at Sucuri, Imperva, and the SANS Internet Storm Center started seeing attempts to exploit Drupalgeddon2, though none have yet to see any reports of websites being hacked.
Sites administrators still running vulnerable versions of Drupal are highly recommended to patch the vulnerability by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible to avoid exploits.
The vulnerability also affects Drupal 6, which is no longer supported by the company since February 2016, but a patch for the version has still been created.


Watering Hole Attack Exploits North Korea's Flash Flaw
26.3.2018 securityweek
Exploit

An attack leveraging the compromised website of a Hong Kong telecommunications company is using a recently patched Flash vulnerability that has been exploited by North Korea since mid-November 2017, Morphisec warns.

The targeted vulnerability, CVE-2018-4878, first became public in early February, after South Korea’s Internet & Security Agency (KISA) issued an alert on it being abused by a North Korean hacker group. Adobe patched the flaw within a week.

By the end of February, cybercriminals were already abusing the vulnerability. The newly observed incident, Morphisec notes, is a textbook case of a watering hole assault. As part of such attacks, which are mainly focused on cyber-espionage, actors plant malware on websites their victims are likely to visit.

The newly observed incident revealed advanced evasive characteristics, as it was purely fileless, without persistence or any trace on the disk. Furthermore, it used a custom protocol on a non-filtered port.

“Generally, this advanced type of watering hole attack is highly targeted in nature and suggests that a very advanced group is behind it,” the security researchers note.

The Flash exploit used in this assault was highly similar to the one detailed in the previous analysis of the CVE-2018-4878 vulnerability, albeit it employs a different shellcode executed post exploitation.

The shellcode executes rundll32.exe and overwrites its memory with malicious code. This malicious code was designed to download additional code directly into the memory of the rundll32 process.

The security researchers also discovered that the command and control (C&C) server uses a custom protocol over the 443 port to communicate with the victim.

The additional code downloaded into the memory of rundll32 includes Metasploit Meterpreter and Mimikatz modules. Most of the modules were compiled on February 15, less than a week before the attack.

“As our analysis shows, this watering hole attack is of advanced evasive nature. Being purely fileless, without persistence or any trace on the disk, and the use of custom protocol on a non-filtered port, makes it a perfect stepping stone for a highly targeted attack chain. This clearly suggests that very advanced threat actors are responsible for it,” Morphisec says.

Despite these advanced evasive features, the attack used basic Metasploit framework components that were compiled just before the attack and lacked any sophistication, obfuscation or evasion, which creates confusion and makes it difficult to pinpoint the attack to an actor.

According to Morphisec, this attack, the exploit kits that were updated to target CVE-2018-4878, the campaign observed a few weeks ago, the vulnerability’s abuse by nation-based groups, all creates a certain sense of déjà vu.

“It is like the anarchy of 2-3 years ago when we had new exploits targeting a particular vulnerability discovered every week. Each one different enough to evade detection for those crucial first moments and security solutions always racing to catch up,” the security firm concludes.


Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files
23.3.2018 thehackernews 
Exploit

You have always been warned not to share remote access to your computer with untrusted people for any reason—it's a basic cybersecurity advice, and common sense, right?
But what if, I say you should not even trust anyone who invites or offer you full remote access to their computers.
A critical vulnerability has been discovered in Microsoft's Windows Remote Assistance (Quick Assist) feature that affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7, and allows remote attackers to steal sensitive files on the targeted machine.
Windows Remote Assistance is a built-in tool that allows someone you trust to take over your PC (or you to take remote control of others) so they can help you fix a problem from anywhere around the world.
The feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.
However, Nabeel Ahmed of Trend Micro Zero Day Initiative discovered and reported an information disclosure vulnerability (CVE-2018-0878) in Windows Remote Assistance that could allow attackers to obtain information to further compromise the victim's system.
The vulnerability, which has been fixed by the company in this month's patch Tuesday, resides in the way Windows Remote Assistance processes XML External Entities (XXE).
The vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).
Exploiting Windows Remote Assistance to Steal Files

Since a security patch for this vulnerability is now available, the researcher has finally released technical details and proof-of-concept exploit code for the flaw to the public.
In order to exploit this flaw, which resides in MSXML3 parser, the hacker needs to use "Out-of-Band Data Retrieval" attack technique by offering the victim access to his/her computer via Windows Remote Assistance.
While setting up Windows Remote Assistance, the feature gives you two options—Invite someone to help you and Respond to someone who needs help.
Selecting the first option helps users generate an invitation file, i.e. 'invitation.msrcincident,' which contains XML data with a lot of parameters and values required for authentication.

Since the parser does not properly validate the content, the attacker can simply send a specially crafted Remote Assistance invitation file containing a malicious payload to the victim, tricking the targeted computer to submit the content of specific files from known locations to a remote server controlled by the attackers.
"The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action," Microsoft explains.
"This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem. Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information," Ahmed warns.
Among patching other critical vulnerabilities fixed this month, Windows users are highly recommended to install the latest update for Windows Remote Assistance as soon as possible.


Windows Remote Assistance flaw could be exploited to steal sensitive files
21.3.2018 securityaffairs 
Exploit
A critical flaw in the Windows Remote Assistance tool allows someone you trust to take over your PC so they can help you fix a problem, and vice-versa.
A critical vulnerability in Microsoft’s Windows Remote Assistance (Quick Assist) feature affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7. The flaw could be exploited by a remote attacker to steal sensitive files on the targeted machine.
Windows Remote Assistance tool allows someone you trust to take over your PC so they can help you fix a problem, and vice-versa.

The Windows Remote Assistance feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.
Trend Micro Zero Day Initiative researchers Nabeel Ahmed discovered an information disclosure vulnerability in Windows Remote Assistance tracked as CVE-2018-0878. An attacker can trigger the flaw to obtain information to further compromise the victim’s system.
Microsoft fixed the vulnerability this month with the patch Tuesday, the issue resides in the way Windows Remote Assistance processes XML External Entities (XXE).

The CVE-2018-0878 vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).

Nabeel has also released online technical details and a proof-of-concept exploit code for the vulnerability.

The attacker can use the “Out-of-Band Data Retrieval” attack technique to exploit this vulnerability that resides in MSXML3 parser. The attacker offers the victim access to his computer via Windows Remote Assistance.

To set up a Windows Remote Assistance connection the attacker can:

Invite someone to help him;
Respond to someone who needs help.
When you invite someone to help you, an invitation file is generated (i.e. ‘invitation.msrcincident’) which contains XML data used for authentication.

In the following table are reported the parameters included in the request.

Windows Remote Assistance 2

The expert started using the MSXML3 to parse the XML data and discovered it does not properly validate the content. This means that an attacker can send a specially crafted Remote Assistance invitation file containing a malicious code to the victim that instructs the target computer to submit the content of specific files from known locations to a remote server controlled by the attackers.

“To exploit this condition, an attacker would need to send a specially crafted Remote Assistance invitation file to a user. A attacker could then steal text files from known locations on the victim’s machine, under the context of the user, or alternatively, steal text information from URLs accessible to the victim.” reads the security advisory published by Microsoft.

“The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”

Windows Remote Assistance

The expert warns of mass scale phishing attacks that leverage on .msrcincident invitation files that could potentially result in loss of sensitive information.

“This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem.” Ahmed concluded.
“Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information. An attacker could target specific log/config files containing username/passwords. ,” Ahmed warns.

The expert developed a tool to automate XXE exfiltration of multiple files by brute-forcing certain directory locations, the software is available on GitHub.

Don’t waste time, install the latest update for Windows Remote Assistance as soon as possible.


Remotely Exploitable Vulnerability Discovered in MikroTik's RouterOS
16.3.2018 securityweek
Exploit  Vulnerebility

A vulnerability exists in MikroTik's RouterOS in versions prior to the latest 6.41.3, released Monday, March 12, 2018. Details were discovered February and disclosed by Core Security on Thursday.

MikroTik is a Latvian manufacturer that develops routers and software used throughout the world. RouterOS is its Linux-based operating system.

The vulnerability, a MikroTik RouterOS SMB buffer overflow flaw, allows a remote attacker with access to the service to gain code execution on the system. Since the overflow occurs before authentication, an unauthenticated remote attacker can exploit it.

The vulnerability exists because the first byte of the source buffer is read and used as the size for the copy operation to the destination buffer -- but ultimately, no validation is performed to ensure that the data fits into the destination buffer, potentially allowing a stack overflow.

Core's vulnerability advisory includes a proof of concept exploit against MikroTik's x86 Cloud Hosted Router. The function is reached by sending a NetBIOS session request message. Data execution prevention (DEP) is bypassed with a return-oriented programming (ROP) chain that calls 'mprotect' to mark a memory region as both writable and executable. Address space layout randomization (ASLR) can be neutralized because the base address of the heap is not randomized. This allows a payload on the heap to jump to a fixed location.

"Our testing," says Core's advisory, "showed this approach to be extremely reliable." The reserved CVE number is CVE-2018-7445.

Core sent its initial vulnerability notice to MikroTik on February 19, 2018. On the same day, Core noticed the flaw was already scheduled for a fix by MikroTik in a new software release candidate. Core asked for a coordinated publication of the new version and its own advisory. It proposed March 1, 2018, which was confirmed by MikroTik. MikroTik then asked for an extension to Thursday, March 8, 2018, and then told Core it still wouldn't be ready.

On Monday, March 12, 2018, it released the new version. It did not inform Core, and there is no apparent mention of the flaw or the fix in its new version announcement to customers -- but it subsequently confirmed that the flaw has been fixed. MikroTik's advice for customers that cannot upgrade is that they should turn off SMB.

Last week, Kaspersky Lab released a report on a hacking group it calls Slingshot. It has identified around 100 victims. The attackers gain access by first getting control of MikroTik routers, and using that position to download DLL files to the target computer via MikroTik's Winbox management tool.

It is not clear at this point whether the Slingshot group gained access to the MikroTik routers using the CVE-2018-7445 vulnerability, but it is tempting to think so. Kaspersky Lab informed the company about its research prior to its own publication.

While the router vulnerability would be the first stage of the attack, the second stage would be the use of Winbox to get the malicious downloads. MikroTik claims on its support forum that Winbox is secure. In a thread started by a customer disturbed at learning about Slingshot from reports in the media rather than from MikroTik, MikroTik responded, "There is NO insecure Winbox v3. Winbox v3 was released in 2014. Even if somebody was using a really old Winbox v2, they still had to have an unsecured RouterOS device so that somebody could compromise it (firewall had to be removed). This is why they found only 120 affected machines since 2012."

The bottom line is that MikroTik is quick fix to issues it knows about, but prefers to maintain a low profile over those problems. The danger here is that existing customers might not be aware of the issues, and be in no hurry to upgrade. MikroTik customers should be aware that a proven proof of concept exploit for vulnerability CVE-2018-7445 is in the public domain, and the 'patch' for this exploit is to upgrade RouterOS to version 6.41.3.


Exploiting the User PII Held in Everyone's Web Browser
7.3.2018 securityweek 
Exploit

Browsers are the single most used application today. Everyone uses at least one browser, whether in the office or at home. But not everyone realizes just how much personal data is left hanging around inside their browsers; nor how easy it is for third-parties to extract it.

Ryan Benson, formerly a forensic analyst with both Mandiant and Stroz Friedberg and now senior threat researcher at San Mateo, CA-based Exabeam, decided to examine just how much data is available, and how readily it can be harvested.

Benson used a modified version of OpenWPM (a web privacy measurement framework) and Firefox to visit the Alexa Top 1000 websites, navigating to three links on each site to simulate normal user browsing. The purpose here was to look for evidence of device identification and geolocation — and Benson found evidence that 56 websites recorded geolocation details, and 56 websites recorded the user's IP address.

The second phase of the research involved interaction with websites. “In order to do this,” writes Benson in a blog account of the research, “we needed to create accounts on these sites, log in, perform a relevant action (e.g., send an email on a webmail server, view a document on a cloud storage platform, etc.), and see what traces could be found.”

The services chosen were typical of normal Internet usage — Google, Youtube, Facebook, Reddit, Amazon, Twitter, Live and so on — and did not seek to reflect any more exotic use of the Web. The results here become more interesting, because traces of the interactions were left within the browser. These include the browsing history (where and when different sites are visited), email addresses, search queries, and files viewed and downloaded.

This provides a rich source for both user identification and profiling that could be leveraged for targeted spear-phishing for more secure and confidential company accounts.

The picture gets worse with the details held by the browser for automatic form completion, and the passwords held in the browser's internal password manager. Both of these services offer huge productivity gains for the user; but huge PII value for the attacker.

The password manager stores passwords in encrypted form; but they are automatically decrypted for use, and can be easily accessed by software — such as the free NirSoft tool that dumps saved passwords — and various malwares. “The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games,” writes Benson, “reportedly took advantage of user credentials saved in the browser.”

The available data, unless direct action is taken to exclude it from the browser, can include passwords (including email passwords), location history, user interests, employer and company position, and device details.

All of this data is easily available to any attacker that has access — physical or virtual — to any desktop, laptop or mobile device that uses a browser. Anti-malware controls cannot prevent all malware, while malware detection systems often look for signs of large scale data exfiltration. It is easy to picture stealthy malware getting through defenses and lying almost totally dormant, just extracting small amounts of data from the user's browser.

A physical attack, using the evil maid scenario, is even simpler. “If a machine is unlocked,” warns Benson, “extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialized software or click of a web link to insert malware.”

Benson describes the data held by the browser as the user's 'web dossier,’ and describes ways in which it could be exploited; often by inferring extensions to the data discovered. “Criminals can learn who in a company has access to the financial or payroll application,” he warns, “and compile a list of usernames to use to break in.” Details surmised from the browsing history can help craft compelling phishing emails targeted at senior personnel, or designed to persuade users to reset company account passwords which can then be harvested.

The best way to prevent web dossier details being harvested by attackers is to exclude them from the browser. Methods could include increased use of the browser's incognito mode, which excludes session details from being saved and potentially exploited. The internal password manager should be abandoned and replaced by third-party separate managers.

In reality, even locking down the browser and using incognito browsing, will not prevent all access to personal data — much of it will still be available to ISPs. In some countries, such as the UK, this data can be accessed by a range of law enforcement and government offices. In other countries, including the U.S., third parties can buy this data from the ISPs.

The solution here depends upon both personal and company risk appetites. “If this is a concern,” Benson told SecurityWeek, “the solution is to use a VPN. Not only will the ISP not know where you are going, the website visited won't even know what country you come from.”

Exabeam raised $10 million in a Series A funding round led by Norwest Venture Partners, with participation from Aspect Ventures and angel investor Shlomo Kramer, in June 2014. This was followed by a further $25 million Series B in 2015, and $30 million Series C in 2017.


Two PoC exploits for Memcached DDoS attacks have been released online
7.3.2018 securityaffairs
Attack  Exploit

Memcached DDoS attacks – A few days after the disclosure of the World’s largest DDoS attack record that peaked a 1.7Tbps, two PoC exploits code for Memcached amplification attacks have been released online.
The technique behind Memcached DDoS attacks, is one of the coolest topics in cybersecurity at this moment.

World’s largest DDoS attack record lasted just a few days, Arbor Networks reported that earlier this month a US service provider suffered a 1.7 Tbps memcached DDoS attack.

memcached DDoS attacks Mar2018

Now two distinct proofs-of-concept (PoC) exploits code for Memcached amplification attacks have been released online, this means that anyone can use them to launch memcached DDoS attacks

One of PoC code exploits is written in Python scripting language and relies on the Shodan search engine API to obtain update a list of vulnerable Memcached servers and then involve them in memcached DDoS attacks.

The second exploit code is written in C programming and uses a pre-compiled list of vulnerable Memcached servers. The author also published the file memecache-amp-03-05-2018-rd.list that is a list of vulnerable memcached servers as of 03-05-2018.

Bonus—its description already includes a list of nearly 17,000 potential vulnerable Memcached servers left exposed on the Internet.

22h

DΛNIΞL 🤖
@hypoweb
List of memcached servers as of 03-06-2018https://pastebin.com/raw/eSCHTTVu


DΛNIΞL 🤖
@hypoweb
Another memcached-poc https://pastebin.com/raw/ZiUeinae

11:06 AM - Mar 7, 2018
39
27 people are talking about this
Twitter Ads info and privacy
We first read about memcached DDoS attacks when on February 28, 2018, the code hosting website GitHub was hit by the largest-ever DDoS attack that peaked at 1.3Tbps.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

We have no doubts, the situation will get worse due to the availability online of the PoC exploit codes.
Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.

“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing SOCK_DGRAM into your editor.”

The fear for this new kind of attack represents a good opportunity for cyber criminals, crooks already started to blackmail companies asking for a ransom demand in Monero cryptocurrency to avoid being attacked via Memcached servers.


Disappearing bytes: Reverse engineering the MS Office RTF parser
24.2.2018 Kaspersky
Exploit
Microsoft Office was a prime target for attacks in 2017. As well as the large number of vulnerabilities discovered and proof-of-concept exploits published, malware authors felt it necessary to prevent detection of ‘one-day’ and ‘old-day’ exploits by antivirus software. It also became clear that using RTF parsing features and peculiarities are no longer enough to effectively evade detection. Along with the rise of MS Office exploitation, when RTF is used as a container for an exploit, we encountered lots of samples that were ‘exploiting’ the implementation of Microsoft Word’s RTF parser to confuse all other third-party RTF parsers, including those used in AV software.

To achieve parsing exactly like that in MS Office, we needed to reverse-engineer it.

I decided to look first at MS Office 2010, because when it comes to parsing it’s better to look at an older implementation. I then compared my findings with those found in newer versions.

An RTF parser comprises a state machine with 37 states, 22 of which are unique:
 

We’ll look at the most significant states and those that have an influence on the parsing of \objdata, a destination control word that contains the object data. Microsoft OLE links, Microsoft OLE embedded objects, and Macintosh Edition Manager subscriber objects are represented in RTF as objects. These states are:

enum

{

PARSER_BEGIN = 0,

PARSER_CHECK_CONTROL_WORD = 2,

PARSER_PARSE_CONTROL_WORD = 3,

PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER = 4,

PARSER_PARSE_HEX_DATA = 5,

PARSER_PARSE_HEX_NUM_MSB = 7,

PARSER_PARSE_HEX_NUM_LSB = 8,

PARSER_PROCESS_CMD = 0xE,

PARSER_END_GROUP = 0x10,

// …

};

Microsoft Office is shipped without debug symbols, meaning it wasn’t possible to recover the original state names. However, I believe I’ve chosen suitable names according to their underlying functionality.

The first state executed on an opened RTF file is PARSER_BEGIN. In most cases, it’s also executed after processing a control word. The main goal of this state is to determine the next state according to encountered char, destination, and other values stored in the ‘this’ structure and set by control word processors. By default the next state is PARSER_CHECK_CONTROL_WORD.

case PARSER_BEGIN:

// … – checks that we dont need

while (data.pos != data.end)

{

byte = *(uint8_t*)data.pos;

data.pos++;

if (this->bin_size > 0)

{

goto unexpected_char;

}

// …

if (byte == 9)

{

// …

continue;

}

if (byte == 0xA || byte == 0xD)

{

// …

break;

}

if (byte == ‘\\’)

{

uint8_t byte1 = *(uint8_t*)data.pos;

if (byte1 == ‘\”)

{

if (this->destination == listname ||

this->destination == fonttbl ||

this->destination == revtbl ||

this->destination == falt ||

this->destination == leveltext ||

this->destination == levelnumbers ||

this->destination == liststylename ||

this->destination == protusertbl ||

this->destination == lsdlockedexcept)

goto unexpected_char;

state = PARSER_CHECK_CONTROL_WORD;

// …

break;

}

if (byte1 == ‘u’)

{

// …

break;

}

state = PARSER_CHECK_CONTROL_WORD;

// …

break;

}

if (byte == ‘{‘)

{

create_new_group();

// …

break;

}

if (byte == ‘}’)

{

state = PARSER_END_GROUP;

break;

}

unexpected_char:

// it will set next state depending on destination / or go to unexpected_cmd to do more checks and magic

// …

if (this->destination == pict ||

this->destination == objdata ||

this->destination == objalias ||

this->destination == objsect ||

this->destination == datafield ||

this->destination == fontemb ||

this->destination == svb ||

this->destination == macro ||

this->destination == tci ||

this->destination == datastore ||

this->destination == mmconnectstrdata ||

this->destination == mmodsoudldata ||

this->destination == macrosig)

{

state = PARSER_PARSE_HEX_DATA;

data.pos–;

break;

}

// …

break;

}

break;

PARSER_CHECK_CONTROL_WORD will check if the next char is the start of a control word or if it’s a control symbol, and will set the next state accordingly.

case PARSER_CHECK_CONTROL_WORD:

byte = *(uint8_t*)data.pos;

if ((byte >= ‘a’ && byte <= ‘z’) || (byte == ‘ ‘) || (byte >= ‘A’ && byte <= ‘Z’))

{

state = PARSER_PARSE_CONTROL_WORD;

this->cmd_len = 0;

}

else

{

data.pos++;

this->temp[0] = 1;

this->temp[1] = byte;

this->temp[2] = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = 1;

break;

}

The states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER will store the null-terminated control word that is made up of ASCII alphabetical characters and a null-terminated numeric parameter (if it exists) in a temporary buffer of a fixed size.

case PARSER_PARSE_CONTROL_WORD:

pos = this->temp + 1;

parsed = this->temp + 1;

while (data.pos != data.end)

{

byte = *(uint8_t*)data.pos;

// length of null-terminated strings cmd + num should be <= 0xFF

if ((byte == ‘-‘) || (byte >= ‘0’ && byte <= ‘9’))

{

//if parsed == temp_end

// goto raise_exception

*parsed = 0;

parsed++;

pos = parsed;

if (parsed >= temp_end)

{

parsed = temp_end – 1;

*parsed = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = pos – (this->temp + 1);

break;

}

data.pos++;

this->cmd_len = pos – (this->temp + 1);

*parsed = byte;

parsed++;

pos = parsed;

state = PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER;

break;

}

if (byte == ‘ ‘)

{

data.pos++;

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = pos – (this->temp + 1);

break;

}

if ((byte >= ‘a’ && byte <= ‘z’) || (byte >= ‘A’ && byte <= ‘Z’))

{

if (parsed – this->temp >= 0xFF)

{

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = pos – (this->temp + 1);

break;

}

//if parsed == temp_end

// goto raise_exception

*parsed = byte;

parsed++;

pos = parsed;

data.pos++;

}

else

{

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

this->cmd_len = pos – (this->temp + 1);

break;

}

}

break;

case PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER:

while (data.pos != data.end)

{

byte = *(uint8_t*)data.pos;

// length of null-terminated strings cmd + num should be <= 0xFF

if (byte == ‘ ‘)

{

data.pos++;

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

break;

}

if (byte >= ‘0’ && byte <= ‘9’)

{

if (parsed – this->temp >= 0xFF)

{

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

break;

}

//if parsed == temp_end

// goto raise_exception

*parsed = byte;

*parsed++;

data.pos++;

}

else

{

if (parsed >= temp_end)

{

parsed = temp_end – 1;

}

*parsed = 0;

state = PARSER_PROCESS_CMD;

break;

}

}

break;

case PARSER_PROCESS_CMD:

case PARSER_SKIP_DATA:

case PARSER_END_GROUP:

case PARSER_SKIP_DATA_CHECK_B:

case PARSER_SKIP_DATA_CHECK_I:

case PARSER_SKIP_DATA_CHECK_N:

case PARSER_SKIP_DATA_GET_BIN_VAL:

case PARSER_SKIP_DATA_INNER_DATA:

this->state = state;

cmd_parser(&data);

state = this->state;

break;

Then it is processed in the state PARSER_PROCESS_CMD that calls another function responsible for processing control words and control symbols. It takes into account the current state and sets the next state.

There are multiple states responsible for parsing hex-data. The most interesting for us is PARSER_PARSE_HEX_DATA – as you can see, it’s set in PARSER_BEGIN if the destination objdata is set.

case PARSER_PARSE_HEX_DATA:

parsed_data = this->temp;

if (this->bin_size <= 0)

{

while (data.pos != data.end)

{

byte = *(uint8_t*)data.pos;

if (byte == ‘{‘ || byte == ‘}’ || byte == ‘\\’)

{

state = PARSER_BEGIN;

if (parsed_data != this->temp)

{

push_data(parsed_data – this->temp);

parsed_data = this->temp;

}

break;

}

if (this->flag & 0x4000)

{

data.pos++;

continue;

}

if (byte >= ‘0’ && byte <= ‘9’)

{

val = byte – 0x30;

}

else if (byte >= ‘a’ && byte <= ‘f’)

{

val = byte – 0x57;

}

else if (byte >= ‘A’ && byte <= ‘F’)

{

val = byte – 0x37;

}

else if (byte == 9 || byte == 0xA || byte == 0xD || byte == 0x20)

{

data.pos++;

continue;

}

else

{

// show message that there are not enough memory

this->flag |= 0x4000;

data.pos++;

continue;

}

if (this->flag & 0x8000)

{

this->hex_data_byte = val << 4;

this->flag &= 0x7FFF;

}

else

{

if (parsed_data == temp_end)

{

push_data(sizeof(this->temp));

parsed_data = this->temp;

}

this->hex_data_byte |= val;

*parsed_data = this->hex_data_byte;

parsed_data++;

this->flag |= 0x8000;

}

data.pos++;

}

}

else

{

if (this->flag & 0x4000)

{

uint32_t size;

if (this->bin_size <= data.end – data.pos)

{

size = this->bin_size;

}

else

{

size = data.end – data.pos;

}

this->bin_size -= size;

data.pos += size;

}

else

{

while (this->bin_size > 0)

{

if (parsed_data == temp_end)

{

push_data(sizeof(this->temp));

parsed_data = this->temp;

}

byte = *(uint8_t*)data.pos;

*parsed_data = byte;

parsed_data++;

data.pos++;

this->bin_size–;

}

}

}

if (parsed_data != this->temp)

{

push_data(parsed_data – this->temp);

parsed_data = this->temp;

}

break;

This state will parse hexadecimal data and binary data if set.

The states PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB are used together to parse hex values (data of the \panose control word and \’ control symbol).

case PARSER_PARSE_HEX_NUM_MSB:

this->flag |= 0x8000;

this->hex_num_byte = 0;

state = PARSER_PARSE_HEX_NUM_LSB;

case PARSER_PARSE_HEX_NUM_LSB:

// …

byte = *(uint8_t*)data.pos;

data.pos++;

val = 0;

if (byte – ‘0’ <= 9)

{

val = byte – 0x30;

}

else if (byte – ‘a’ <= 5)

{

val = byte – 0x57;

}

else if (byte – ‘A’ <= 5)

{

val = byte – 0x37;

}

this->hex_num_byte |= val << ((this->flag >> 0xF) << 2);

this->flag = ((~this->flag ^ this->flag) & 0x7FFF) ^ ~this->flag;

if (this->flag & 0x8000)

{

// …

state = PARSER_BEGIN;

}

else

{

break;

}

break;

State reset
Looking at PARSER_PARSE_HEX_NUM_MSB, PARSER_PARSE_HEX_NUM_LSB and PARSER_PARSE_HEX_DATA, it is easy to spot a bug. Even if they use a different variable to store the decoded hex value, they use the same bit to determine which nibble is now decoded – high (most significant bits, or MSB) or low (less significant bits, or LSB). And PARSER_PARSE_HEX_NUM_MSB always resets this bit to MSB.

It is therefore possible to make bytes disappear in the PARSER_PARSE_HEX_DATA context by triggering a change of state to PARSER_PARSE_HEX_NUM_MSB.

For this to work it is enough to put \’XX in the data that comes after the \objdata control word. In this case, when the parser encounters \ in state PARSER_PARSE_HEX_DATA it will return to state PARSER_BEGIN and after that will go to state PARSER_PROCESS_CMD. The handler for the \’ control symbol will not change a destination, but will change the next state to PARSER_PARSE_HEX_NUM_MSB. After PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB control is transferred back to PARSER_BEGIN and eventually to PARSER_PARSE_HEX_DATA because the destination is still equal to objdata. After all that, the next byte will be decoded as a high nibble.

It is also worth noting that PARSER_PARSE_HEX_NUM_LSB does not check if the provided value is a valid hexadecimal; therefore, after \’ there could be absolutely any two bytes.

This behavior can be observed in the following example:

 

“f\’cc” will be removed from the final result

When control is transferred for the first time to the PARSER_PARSE_HEX_DATA state, after the \objdata control word is processed, the MSB bit is already set. Let’s look at how it happens and how this example will be processed:
 

After some reverse engineering of the keyword processing function, I found a list of all the control words and their corresponding structures:
 

With this information we can locate and look at the objdata constructor:
 

You can see it sets the MSB bit, allocates a new buffer and replaces the old pointer with a new one. Therefore, the data decoded between two \objdata control words is never used.

 

“d0cf11e0a1b11ae1” will be removed from the final result

Final destination
We know that if \’ or \objdata is put in data, it will change the output. What about other control words and control symbols? There are more than 1500 of them!

Mostly nothing.

As some control words represent a destination, they can’t be used – they change the objdata destination on their own, and to decode an object the objdata destination is needed.

Other control words do not affect objdata destination.

The only one way to change the destination so that it’s possible to return to the objdata destination without losing previously decoded data is to use special symbols – opening brace ({) and closing brace (}). These symbols indicate the start and end of a group.

When the parser encounters the end of a group in state PARSER_BEGIN, the destination that was set before the start of the group will be restored.

Therefore, by putting {\aftncn FF} after \objdata, FF will not get into the decoded data because FF now applies to the destination aftncn and will be handled according to this destination.

However, by using {\aftnnalc FF}, FF will get into the decoded data because the destination is still equal to objdata.

It is also worth noting that {\objdata FF} still can’t be used because the buffer will not be restored.

An accurate list of all destination control words was created with a simple fuzzer.

Fixed-size buffer
Another obfuscation technique that comes to mind while looking at the code of an RTF parser is not related to this ‘MSB’ bug, but can also be used to remove bytes from a hex-stream. The technique’s related to the temporary buffer size and how a control word and numeric parameter are parsed in the states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER. You can see an example of its use in the following screenshot.
 

In this example the size of the data that will be removed as part of the numeric parameter is calculated using the formula: 0xFF (size of temporary buffer) – 0xB (size of ‘oldlinewrap’) – 2 (null-terminator characters) = 0xF2.

Unnecessary data
While the techniques described above are related to general RTF parsing, the processing of some specific keywords conceals some further confusion.

According to the specification states, if \* was encountered right before a control word or control symbol that was not found in the lookup table, its considered an unknown destination group and all the data up to the closing brace } that closes this group should be discarded. The lookup table in MS Office contains control words that are not present in the specification and it raises concerns that it will be changed in future, affecting parsing of the same document on different versions of MS Office. When the function responsible for processing keywords encounters such cases or one of the specific control words (such as \comment, \generator, \nonshppict and so on), it will set the state PARSER_SKIP_DATA and the number for encountered opening braces { to 1.

enum

{

// …

PARSER_SKIP_DATA = 0xF,

// …

PARSER_SKIP_DATA_CHECK_B = 0x13,

PARSER_SKIP_DATA_CHECK_I = 0x14,

PARSER_SKIP_DATA_CHECK_N = 0x15,

PARSER_SKIP_DATA_GET_BIN_VAL = 0x16,

PARSER_SKIP_DATA_INNER_DATA = 0x17,

// …

};

Kind of magic
During analysis of the PARSER_SKIP_DATA* states I found things that are the opposite not only to the specification but also to the rest of the parser code.

While looking for the \bin control word, this states will skip data, changing the number of encountered opening and closing braces until that number equals zero. The hidden catch lies in the way the numeric parameter is processed.

First of all, the maximum allowed length of the numeric parameter is increased up to 0xFF – it’s calculated without considering the length of the control word.

The second catch is that the numeric parameter is not numeric anymore! The parser allows not only decimal characters but also Latin characters to pass. Then this parameter is passed to custom strtol, making it possible to specify the length of data that should be skipped without considering opening and closing braces as a hexadecimal number.

Obfuscations with the use of these two primitives have not yet been encountered in the wild.

Conclusion
Reverse engineering has proved to be the most effective way to build a parser, and in the case of RTF it would most likely be impossible to achieve the desired behavior otherwise.

Exact parsing depends on small implementation details and algorithmic bugs rather than on a specification that could be confusing or state things that are not true.

Kaspersky Lab products detect all kinds of RTF obfuscation and perform the most correct processing of RTF files, providing the best protection to our end users.