In continuation of the previous blog, wrapping up some interesting discussion points from the recent Black Hat event in Las Vegas, here we’ll look at a few more vulnerabilities for security researchers to be aware of.
A Windows vulnerability in the SMB file-sharing protocol discovered 14 years ago, and partially patched by Microsoft, could still be abused via remote attacks. Two security researchers showed a new approach to a hold bug that could ultimately lead to a compromise of the credentials remotely and impersonate users from the Internet. “You visit a website you are done. You are pwned,” Billiamoria said. Brossard and Billiamoria were able to modify the attack to use a rogue website to capture the SMB login data. In their attack, users are tricked into visiting a website controlled by the attackers, which then captures the user's username in plaintext and the hash of the user's password. The new kind of SMB relay attack demonstrated by Brossard and Billiamoria lets adversaries upload malware or attack any service using NTLM to take over a computer. “Literally every service uses NTLM to authenticate,” the researchers said. One of the attacks demonstrated came by the name of "French Kiss attack", an extension of existing LAN attacks on SMB, however working from the Internet. We will introduce it via the naive study of an SMB connection over the Internet. We shall start by describing the setup used for a quick experiment involving loading an image over SMB from a remote SMB share located on a Public IP on the web. We will then follow up with the results of this empirical study and infer a few conclusions in regards to the authentication mechanisms of SMB in such circumstances. Full Article at: https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files-wp.pdf
In x86, beyond ring 0 lie the more privileged realms of execution, where code is invisible to AV, we have unfettered access to hardware, and can trivially preempt and modify the OS. The architecture has heaped layers upon layers of protections on these ‘negative’ rings, but 40 years of x86 evolution have left a labyrinth of forgotten backdoors into the ultra-privileged modes. Lost in this byzantine maze of decades-old architecture improvements and patches, there lies a design flaw that’s gone unnoticed for 20 years. Exploiting the vast, unexplored wasteland of forgotten x86 features, we demonstrate how to jump malicious code from ring 0 into the deepest, darkest realms of the processor. The attack is performed with an architectural 0-day built into the silicon itself, and directed against a uniquely vulnerable string of code widely deployed on modern systems
HE x86 architecture is traditionally divided into “rings” of privilege, with ring 3 designated the least privileged realm of execution, and ring 0 the most. As the architecture evolved, and deeper levels of privilege became necessary, additional privilege separation mechanisms were developed to confine and restrict ring 0 code from even more powerful modes of execution, colloquially dubbed the negative rings. Ring -1, more commonly known as the hypervisor, is capable of preempting and isolating ring 0 code. Ring -2, System Management Mode (SMM), can further preempt ring -1, has unrestricted access to platform hardware, and in many cases can bypass Trusted Execution Technology (TXT), positioning it as the most privileged level of execution on modern x86 processors. Due to an extreme potential for abuse, SMM is protected through innumerable security mechanisms. However, the complexity of the architecture precludes the simple separations found in higher rings, and SMM security circumventions can be constructed through elaborate configurations of unexpected architectural features. Full Article at: https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation-wp.pdf
In this security issue the researchers talked about the problem of exploiting timing side channels in web applications. To date, differences in execution time have been difficult to detect and to exploit. Very small differences in execution time induced by different security logics, coupled with the fact that these small differences are often lost to significant network noise, make their detection difficult. Additionally, testing for and taking advantage of timing vulnerabilities is often hampered by the tools available. To that end, we perform a thorough Monte Carlo comparison of several statistical techniques meant to identify the existence of differences in computation time in remote web applications. We then implement a tool that allows penetration testers to more thoroughly identify potential exploits.
To contact Nettitude editor, please email firstname.lastname@example.org.