Tag Archives: Elevation of Privilege

December 2018: Further Zero Day Vulnerabilities Disclosed

=======================
Update: 6th February 2019
=======================
In mid-January; the security firm 0patch issued a micropatch for what I refer to as vulnerability 4 (discussed below). As before the patch can be applied and will protect your devices until Microsoft can issue a finalised update via the regular channels.

The patch is only available for Windows 10 Version 1803. 0patch have requested that you contact them if you wish to obtain a patch for another version of Windows 10. They have published a YouTube video of the patch preventing the proof of concept code from working as the attacker intended.

Approximately a week after this micropatch was issued; another micropatch was made available; this time for what I refer to as vulnerability 3 (discussed below). That patch is available for Windows 10 Version 1803 64 bit and Windows 7 bit. As before 0patch have requested that you contact them if you wish to obtain a patch for another version of Windows. Another YouTube video is available demonstrating the micropatch preventing the proof of concept code from reading any file on the system as the attacker intended. It does this by changing the permissions on the temporary MSI file created by Windows Installer. The micropatch was more complex than originally thought to create. 0patch wanted to issue their patch before the Holiday period in December but were unable to do so since it required more thorough testing before being made available but there was not enough time left for that testing.

The micropatch does not require a reboot. As before the patch does not need to be uninstalled once you later install the update from Microsoft.

At this time, it is assumed that Microsoft will issue a patch for these vulnerabilities in February but they may be more complex (similar to the previous JET vulnerability) and require further time to refine the fixes.

Thank you.

=======================
Original Post:
=======================
In the 3rd week of December; a security researcher using the name SandboxEscaper (who we have discussed twice before on this blog) announced a 3rd zero-day (defined) vulnerability followed by a 4th on the 30th of December.

For the 3rd vulnerability: Windows 7 and Windows 10 are confirmed as impacted. Windows 8.1 may also be vulnerable. For the 4th vulnerability; Windows 10 Version 1803 (Build 17134) has been confirmed as impacted (it’s unknown if newer builds of Window 10 or if Windows 7/8.1 are vulnerable).

How severe are these vulnerabilities and what is their impact?
I’ll break these into 2 sections:

=======================
Vulnerability 3:
Arbitrary file read issue: Uses MsiAdvertiseProduct:
=======================
From the limited information available this vulnerability does not appear to be remotely exploitable. The attacker would already need to have compromised an account on your Windows system in order to run the necessary proof of concept code. This vulnerability should be considered medium but not critical severity. When exploited it can allow an attacker to read/copy any files they choose using the permissions from the Windows Installer Service namely LocalSystem privileges (the highest level of privilege)(defined). The vulnerability makes use of a time to check to time to use (TOCTOU) race condition type.

In the same manner as the previous vulnerabilities it may be leveraged in the wild before it is patched by Microsoft; this is my reason for advising exercising caution with email and clicking unexpected links (within emails, links within IM clients or social networks). Security researcher Will Dormann found this exploit inconsistent when used. Meanwhile Acros Security CEO Mitja Kolsek stated It was very likely a micropatch for this exploit would be available before the holiday period.

=======================
Vulnerability 4:
Arbitrary file overwrite issue: Proof of concept overwrites pci.sys
=======================
As above; this vulnerability does not appear to be remotely exploitable. The attacker would already need to have compromised an account on your Windows system in order to run the necessary proof of concept code. This vulnerability should be considered medium but not critical severity. When exploited it can allow an attacker to overwrite pci.sys with information about software and hardware problems, collected through the Windows Error Reporting (WER) but the attacker can also influence what data is used to overwrite the original file. The vulnerability again makes use of a race condition which means that the exploit doesn’t always provide the attacker with the intended result. This is especially true for systems with a single CPU core.

However; the choice of pci.sys for the proof of concept was an example; any file could be used (confirmed by Will Dormann).

How can I protect my organization/myself from these vulnerabilities?
The same advice issued for the first two zero day disclosures again applies here. This US-CERT advisory also provides advice for safely handling emails.

If you wish to deploy the micropatch from the firm 0patch; please test how well it works in your environment thoroughly BEFORE deployment in your production environment.

It can be obtained by installing and registering 0patch Agent from https://0patch.com Such micropatches usually install and need no further action when Microsoft officially patches the vulnerability since the micropatch is only active when a vulnerable version of the affected file is used; once patched the micropatch has no further effect (it is then unnecessary).

Thank you.

Oracle VirtualBox Zero Day Disclosed

In early November a security researcher publicly disclosed (defined) a zero day (defined) vulnerability within Oracle’s VirtualBox virtualisation software.

How severe is this vulnerability?
In summary; this vulnerability is serious but it could have been worse. In order to exploit it, an attacker would first need to have obtained elevated privileges on your system; root (defined) in the case of Linux and administrator (defined) in the case of Windows. Using this privilege the attacker can leverage the exploit to escape from the confines of the virtual machine (VM)(defined) into the system which hosts the virtual machine (in other words; the system which houses the virtual machine within its physical infrastructure). Once outside of the virtual machine the attacker must then elevate their privileges again since breaking out of the VM only gives them user level/standard privileges and not elevated privileges in the physical system. Thus the attacker would then need to use a separate exploit for another vulnerability (not related to this VirtualBox flaw) to elevate their privileges again to become root/admin within the physical system.

Obviously; the consequences of exploiting this vulnerability on a shared service/cloud infrastructure system would be more serious since multiple users would be affected all at once and the further exploitation of the resulting host systems could potentially provide the attacker with control over all the virtual machines.

How can an attacker exploit this vulnerability?
VirtualBox makes use of the Intel Pro/1000 MT Desktop (82540EM) network adapter to provide an internet connection to the virtual machines it manages. The attacker must first turn off this adapter in the guest (virtualised) operating system. Once complete they can then load a custom Linux kernel module (LKM)(defined) (this does not require a reboot of the system). That custom LKM contains the exploit derived from the technical write up provided. That new LKM loads its own custom version of the Intel network adapter. Next the LKM exploits a buffer overflow (defined) vulnerability within the virtualised adapter to escape the guest operating system. The attack must then unload the custom LKM to re-enable the real Intel adapter to resume their access to the internet.

How can I protect myself from this vulnerability?
While this is a complex vulnerability to exploit (an attacker would need to chain exploits together in order to elevate their privilege on the host system after escaping the VM), the source code needed to do so is available in full from the researcher’s disclosure; increasing the risk of it being used by attackers.

At the time of writing; this vulnerability has not yet been patched by VirtualBox. It affects versions 5.2.20 and earlier when installed on Ubuntu version 16.04 and 18.04 x86-64 guests (Windows is believed to be affected too). While a patch is pending; you can change the network card type to PCnet or Para virtualised Network. If this isn’t an option available or convenient for you; you can an alternative to the NAT mode of operation for the network card.

Thank you.

Windows Data Sharing Service Zero Day Disclosed

In late October, a new Windows zero day vulnerability (defined) was publicly disclosed (defined) by the security researcher SandboxEscaper (the same researcher who disclosed the Task Scheduler zero day in early September. This vulnerability affects a Windows service; Data Sharing Service (dssvc.dll) present in Windows 10 and its Server equivalents 2016 and 2019. Windows 8.1 and Windows 7 (and their Server equivalents (Windows Server 2008 R2, Windows Server 2012 R2) are not affected.

How severe is this vulnerability and what is its impact?
Similar to the Task Scheduler vulnerability; this vulnerability is not remotely exploitable by an attacker (more on this below). This vulnerability should be considered medium but not critical severity. When exploited it can allow an attacker to delete any files they choose since they will inherit the same level of permission (privilege escalation)(defined) as the Data Sharing Service namely LocalSystem privileges (the highest level of privilege)(defined) but they cannot initiate this automatically/remotely. They must socially engineer a potential victim into opening an attachment (most likely sent over email or via instant messaging etc.).

As with the Task Scheduler vulnerability; this vulnerability may be leveraged in the wild before it is patched by Microsoft; this is my reason for advising exercising caution with email and clicking unexpected links.

While security researchers such as Will Dormann (mentioned above) and Kevin Beaumont were successful in verifying the proof of concept code worked; they class the vulnerability difficult to exploit. This was verified by Acros Security CEO Mitja Kolsek noting he could not find a “generic way to exploit this for arbitrary code execution.” Indeed, SandboxEscaper described the vulnerability as a low quality bug (making it a “pain” to exploit). Tom Parson’s from Tenable (the vendor of the Nessus vulnerability scanner) summed it up nicely stating “to put the threat into perspective, an attacker would already need access to the system or to combine it with a remote exploit to leverage the vulnerability”.

The vulnerability may allow the attacker to perform DLL hijacking (defined) by deleting key system DLLs (defined) and then replacing them with malicious versions (by writing those malicious files to a folder they have now have access to). Alternatively this functionality could be used to make a system unbootable by for example deleting the pci.sys driver. This has earned the vulnerability the name “Deletebug.”

How can I protect my organization/myself from this vulnerability?
As before with the Task Scheduler vulnerability; please continue to exercise standard vigilance in particular when using email; e.g. don’t click on suspicious links received within emails, social media, via chat applications etc. Don’t open attachments you weren’t expecting within an email (even if you know the person; since their email account or device they access their email from may have been compromised) and download updates for your software and devices from trusted sources e.g. the software/device vendors. This US-CERT advisory also provides advice for safely handling emails.

If you choose to; the firm 0patch has issued a micro-patch for this vulnerability. They developed the fix within 7 hours of the vulnerabilities disclosure. It blocks the exploit by adding impersonation to the DeleteFileW call. This was the same firm who micro-patched the recent Windows Task Scheduler vulnerability and JET vulnerabilities. Moreover; this vulnerability may be patched tomorrow when Microsoft releases their November 2018 updates.

As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

It can be obtained by installing and registering 0patch Agent from https://0patch.com Such micropatches usually install and need no further action when Microsoft officially patches the vulnerability since the micropatch is only active when a vulnerable version of the affected file is used; once patched the micropatch has no further effect (it is then unnecessary).

Thank you.

Protecting Against the Windows 10 Task Scheduler Zero Day Vulnerability

====================
Update: 5th September 2018:
====================
As previously advised; exercising caution when receiving emails with attachments will keep you safe from the following malware now exploiting this vulnerability.

Your anti-malware software will likely also protect you from this exploit since the majority of vendors are detecting (verified using VirusTotal) the file hashes listed in the security firm Eset’s blog post:

Eset have detected attackers delivering an exploit for this vulnerability via email. The exploit targets victims in the following countries:

  • Chile
  • Germany
  • India
  • Philippines
  • Poland
  • Russia
  • Ukraine
  • United Kingdom
  • United States

The attackers have made small changes of their own to the published proof of concept code. They have chosen to replace the Google Updater (GoogleUpdate.exe)(which runs with admin privileges (high level of integrity)) usually located at:

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

They replace the updater with a backdoor application of their own that is run with the highest privilege namely System level integrity. This is a stage one of their attack. If the attackers find anything of interest on the infected system a second stage is downloaded allowing them to carry out any commands they choose, upload and download files, shutting down an application or parts of Windows of their choice and listing the contents of the data stored on the system.

The attackers also use the following tools to move from system to system across (laterally) a network: PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

Thank you.

====================
Original Post:
====================
With the disclosure early last week of zero day vulnerability (defined) I wanted to provide some advice on staying safe while a patch from Microsoft is being developed.

What systems are affected and how can an attacker use this vulnerability to compromise systems?
Once this pre-developed working exploit is delivered to a 64 bit Windows 10 system it can be used to provide an attacker with the highest level of privilege (System level access) on that system allowing them to carry out any action they choose. They can achieve this by changing permissions on any file stored on a system thus giving them the ability to replace/change any file. When a system service executes what it believes to be a legitimate file but is instead the attacker substituted file; the attacker obtains the privileged access of that service.

The effectiveness of this exploit has been verified by Will Dorman from the CERT/CC. 32 bit versions of Windows are also affected. For Windows 8.1 and Windows 7 systems; the exploit would require minor changes before it can result in the same level of effectiveness (but may be inconsistent on Windows 7 due to the hardcoded XPS printer driver (defined) name within the exploit).

An attacker must already have local access to the systems they wish to compromise but could obtain this using an email containing an attachment or another means of having a user click on a link to open a file. The base CVSS score of this vulnerability is 6.8 making it make of medium severity for the above reasons.

How can I protect myself from this vulnerability?
Standard best practice/caution regarding the opening of email attachments or clicking links within suspicious or unexpected email messages or links from unknown sources will keep you safe from the initial compromise this exploit code requires to work correctly.

The advisory from the CERT/CC has also been updated to add additional mitigations. BEFORE deploying these mitigations please test them thoroughly since they can “reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates”.

A further option you may wish to consider is the deployment of the following micropatch from 0Patch. This patch will automatically cease functioning when the relevant update from Microsoft is made available. As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

Further advice on detecting and mitigating this exploit is available from Kevin Beaumont’s post.

Thank you.

Adobe Issues Further Security Updates

Early last week Adobe made available a further un-scheduled emergency security update available for download affecting Creative Cloud Desktop Application version 4.6.0 and earlier. This vulnerability impacts both Apple macOS and Windows systems.

If an attacker were to exploit this they could elevate their privileges (defined). As with the previous security update the vulnerability was responsibly disclosed (defined) to Adobe by Chi Chou of AntFinancial LightYear Labs.

Please follow the steps within this security bulletin to check if the version of Creative Cloud Desktop Application you are using is impacted and if so; follow the steps to install the relevant update.

Thank you.

FTP Handling Vulnerabilities Disclosed in Java and Python

Last month security researchers Alexander Klink and Blindspot Security Researcher Timothy Morgan publicly disclosed information disclosure and low-privilege code execution vulnerabilities affecting Oracle Java and Oracle Java/Python respectively. Alexander Klink’s vulnerability relates to XXE (XML External Entity) processing specifically crafted XML files leading to information disclosure. Timothy Morgan’s vulnerabilities involve adding Carriage Return (CR) and Line Feed (LF) characters to the TCP stream (a structured sequence of data) to the FTP processing code within Java and Python. The researchers notified the affected vendors over a year ago but the vendors did not address these issues. Timothy Morgan’s vulnerability also causes firewalls to open a port to temporarily allow an FTP connection.

How can I protect myself from these vulnerabilities?
Fortunately exploitation of these vulnerabilities is not trivial since the first FTP vulnerability requires an attacker to already have already compromised an organizations internal email server. The second vulnerability requires an attacker to know the victims internal IP address and for the FTP packets to be in alignment.

System administrators responsible for network infrastructure should monitor communications to email servers for suspicious activity and ensure internal computer systems are not accessible from the external internet (for example using Shodan). Apply vendor software updates when made available for these issues. The blog posts from the researchers here and here provide further detailed recommendations to mitigate these vulnerabilities.

Thank you.

Mitigating the Increasing Risk Facing Critical Infrastructure and the Internet of Things

With attackers and malware authors extending their reach to more and more areas of our everyday lives, both companies and individuals need to take steps to improve the security of their equipment/devices. It’s not just devices such as thermometers (while important) in our homes at risk; devices that impact health and safety as well as entire communities and economies are being / or will be targeted.

For example, last month a cyber-attack took place in Ukraine that while it only lasted approximately 1 hour, served to cause a power outage in an entire district of Kiev. The on-going investigation into this attack believes it to be the same attackers responsible for the December 2015 attack (that attack affected approximately 250,000 people for up to 6 hours).

In a similar manner, a smaller energy company (at an undisclosed location) was a victim of the Samsam ransomware (defined). The attackers initially compromised the web server and used a privilege escalation vulnerability (defined) to install further malware and spread throughout the network. The attackers demanded 1 Bitcoin per infected system. The firm paid the ransom and received a decryption key that didn’t work.

Fortunately, this energy company had a working backup and was back online after 2 days. The root cause of infection? Their network not being separated by a DMZ (defined) from their industrial networks. This Dark Reading article also details 2 further examples of businesses affected who use industrial systems namely a manufacturing plant and a power plant. Both were located in Brazil.

Mark Stacey of RSA’s incident response team says that while nation states have not yet employed ransomware in industrial systems, it will certainly happen. He cites the example of a dam, where the disabling of equipment may not demand a large ransom compared to the act of encrypting the data required for its normal operation.

Former US National Security Official Richard Clarke is suggesting the use of a tried and tested means of increasing the security of all deployed industrial control systems. As it is very difficult convincing those on the Board of Directors to provide budget for something that has not happened/may not happen, he suggests employing an approach similar to that of the Y2K bug. This would require introducing regulations that require all devices after a given date be in a secured state against cyber-attack. He advocates electric power, connected cars and healthcare providers follow this approach and notes that without regulation “none of this is going to happen.” Since these regulations would apply to all ICS/SCADA (defined) vendors, they would also not loose competitiveness

With security analysts predicting further compromises of ICS/SCADA equipment this year, we need to better protect this infrastructure.

For enterprises and businesses, the regulations proposed above should assist with securing IoT and ICS/SCADA devices. However, this is just the beginning. This scanner from Beyond Trust is another great start. As that article mentions the FTC is offering $100,000 to “a company that can discover an innovative way of managing and patching IoT devices.” Securing IoT devices is not an easy problem to solve.

However, progress is happening with securing critical infrastructure and Internet of Things (IoT)(defined) devices. For example, please find below resources/recommendations, tools and products that can help protect these systems and devices.

How can we better secure ICS/SCADA devices?
These devices power our critical infrastructure e.g. power, gas, communications, water filtration etc. The US ICS-CERT has a detailed list of recommendations available from the following links:

ICS CERT Recommended Practices
ICS-CERT Secure Architecture Design
ICS Defense In-Depth (PDF)

An ICS-CERT overview of the types of vulnerabilities that these systems face.

Securing IoT devices in industry
Free IoT Vulnerability Scanner Hunts Enterprise Threats (Dark Reading.com)
Defending the Grid
Network and IoT to underpin Trend Micro’s 2017 strategy

Securing IoT in the medical sector/businesses
Hospitals are under attack in 2016 (Kaspersky SecureList)
Fooling the Smart City (Kaspersky SecureList)

Recommendations for consumer IoT devices are the following
My previous recommendations on securing IoT devices
Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection
Securing Your Smart TV
8 tips to secure those IoT devices (Network World)
Who Makes the IoT Things Under Attack? (Krebs on Security)

=======================
I hope that you find the above resources useful for securing ICS/SCADA as well as IoT devices that are very likely a target this year.

Thank you.