Security Week 45: sandbox escape, EMET bypass through WOW64, 000webhost hack

The quotes from the book of Eugene Kaspersky, which I attach to each news digest, well show the threat landscape as of the beginning of the 90s of the last century, or rather, the location of the IS theme in relation to the rest of the world. Around the beginning of the 2000s, before the first mass epidemics of the still fairly simple malware appeared, information security was perceived as something even more complex than IT in general. There were good times, but they ended. In the middle of the tenths, everyone is discussing cyberthreats: scientists, parliamentarians, and even pop stars. This is clearly seen in the October digests of the most popular news: first we hit the theory of cryptography, and then suddenly jumpedin legislation. And yet, yes, it is necessary: ​​all this somehow affects cyberspace, albeit not right now.

But in general, in fact, practical safety, as it was a complex purely technical topic, has remained. The threat landscape cannot be adequately assessed if we look only at the reaction of society or only at scientific research. Those same bills - they are important, but have little in common with practice. They are connected with IT as a whole only because their text was typed on a computer in Word. This is not a great discovery, but a clear hint: it would be nice to keep a balance. It is gratifying that this week all the most popular news is from the practical sphere. No politics, no threats, potentially exploited in fifteen years. Everything is here and now, as we love. Long live moderate hardcore. Uiiii!
Previous episodes live here .

The Xen closed dangerous vulnerability, allows the sandbox escape
News . Security Advisory . Advisory developers of QubesOS system.

What they found: a vulnerability in the Xen hypervisor starting with version 3.4.0, which allows, under a number of conditions, to get full control over the system from a virtual machine, having accomplished what is called a “sandbox escape”. Eyewitnesses of the events interpret the incident in different ways. Xen's discreet newsletter states: “The code used to validate these second-level tables can be circumvented if certain conditions are met.” The developers of QubesOS, an operating system with a focus on security, put it more simply: “Perhaps the worst [vulnerability] of all that we have seen in the Xen hypervisor. Unfortunately".

Xen Developer Response:



QubesOS Developer Response:



They can be understood: QubesOS uses virtualization to isolate tasks as much as possible from each other: work from entertainment, banking from porn sites with pictures, and so on. Any vulnerability of the sandbox escape class covers with a copper basin all their carefully configured protection, hence the frustration. And not only for them: the code base Xen is actively used by the same Amazon, and thousands more companies around the world. In particular, an expert from the Chinese Alibaba reported this vulnerability. About Amazon, I recommend reading this article , which describes the process of mitigation in some detail. But in general, it’s clear: you need to evaluate the scale of the problem, roll up the patch, and do it quickly, but without breaking anything at the clients (ideally, without even restarting their VM). Not an easy task.

Но важная, так как, в теории, можно купить десяток копеечных виртуалок в разных датацентрах Amazon EC2, через них получить контроль над хостами и далее отправиться в увлекательный квест по чужим серверам. Ключевое слово здесь теоретически: пруфов не было и не предвидится, да и не думаю, что Amazon по части безопасности полагается только на код Xen. Но для оценки масштабов проблемы это правильный пример. Часто ли находят подобные дыры? Чаще, чем хотелось бы. Представитель QubesOS вообще пишет, что в процессе разработки Xen не очень заметно, чтобы безопасность была в приоритете. Предыдущую уязвимость (тоже sandbox escape, но с более жесткими ограничениями по эксплуатации) нашли в конце июля.

Подсистема WOW64 может быть использована для обхода EMET в Windows
The news . A study by Duo Security.

The Enhanced Mitigation Experience Toolkit is a suite of Microsoft technologies designed to increase application security. In other words, it allows you to apply methods that complicate the life of crackers, such as ASLR and DEP, to programs, even if the developers themselves did not take care of introducing these useful technologies on their own. This “convenience” leads to an obvious drawback: if you bypass the EMET system, this will lead to a decrease in the level of protection not of a particular application, but of a whole set.

What Duo Security researchers found is not even a vulnerability in the sense of an exploited hole in EMET. It is more likely a “leak at the junction” - EMET turned out to be less effective in a 64-bit OS if you are working with a program written for the 32-bit version. What happens often, if not almost always: for example, most browsers are a 32-bit process in a 64-bit environment. As a proof I’ll attach a picture from my computer (and how it eats memory!).



For this design to work correctly, Windows 64-bit has a WoW64 subsystem (not “wow”, but Windows on Windows). The success of EMET depends on how well the security technologies control someone else’s code, and in the case of WoW64, it turns out that they control this code poorly. Researchers cite an exploit of the use-after-free vulnerability in Adobe Flash discovered in January this year as an example . EMET is designed to deal with such tricks with memory (if the developer couldn’t), but a small modification of the exploit by experts allowed to completely bypass the Windows protection system, due to the complexity of the interaction between EMET and WoW64.

No one can be trusted. Fortunately, this is only a study so far, but the conclusion is clear: Microsoft is great with the EMET system, but you can’t completely rely on it. If the vulnerability is still discovered and exploited, then you need to be able to block it in several ways, and the more there are, the better. Ideally, an exploit should not be allowed to boot onto a vulnerable OS or run in a vulnerable application by shooting it at a distant frontier, using a blacklist of dubious URLs. The story with Xen, though from a completely different opera, says the same thing: there should be a lot of security and, if possible, everywhere.

Cherry on the cake: some studies save me from the problem of finding funny pictures. Duo Security offers this:



Hacking host 000webhost led to 13.5 million users passwords leaked
news . Hosting FAQ . Original Facebook hack post (100 likes). Post expert Troy Hunt with details.

Theoretically, a story with a vulnerability with Xen can be used to hack a hosting provider: there are virtual machines, there is a vulnerability, there is an exploit, there is access to private information, for example, to the client database. Hacking the 000webhost Lithuanian hoster shows that such a complex tactic is generally not needed (even if possible) when there are much simpler and more reliable methods. In this case, they broke an outdated version of PHP on the company's website, through this they got access to customer data, including passwords. Troy Hunt, the owner of the Have I been pwned? Service, claims that the user's passwords were stored in plain text on the host.

Well, what's the point of using sophisticated attack methods and exploring the vulnerability of ciphers when in reality our data flows like this? However, they reacted correctly to the incident in 000webhost: they posted all the necessary information, reset the passwords, temporarily closed access to some services (and did not forget to inform when the access was re-opened). In capital letters, bold, italics and underlining, the following is written in the incident FAQ:



Well, I admit, there was no italics. But the idea is correct: do not use compromised passwords anywhere else. I would add that passwords in general, in a good way, must be unique. In the bright future, our more secure cyber world will be just that.

What else happened:
Social engineering news: a mobile malware pretends to be a Word document with an icon that is well-known and understandable to everyone. Steals personal data, sends paid SMS, calls to paid phone numbers.

The Stagefright 2.0 vulnerability patch has been released , the owners of Nexus smartphones and those who regularly synchronize the code base with the Android Open Source Project will be the first to receive it. The rest, as usual, will have to wait, from one month to never .

Antiquities:
Family “Flip”

When an infected file is launched, it affects the MBR of the hard drive (they reduce the size of the logical disk and write the old MBR sector and its continuation into the free space). Files (COM and EXE) are standardly infected at startup. In the files, “Flip” is a “ghost” virus: it is encrypted, and the decryptor does not have a permanent section (signature) longer than 2 bytes.

On the second day at 16.00 they “turn” the screen: they change (top-bottom, right-left) the arrangement of characters on the screen and turn their image over ('P' - 'b').

“Flip-2327” replaces a set of commands in the files:
MOV DX, Data_1
MOV Data_2, DX
MOV DX, Data_3
MOV Data_4, DX

(this combination of commands is found in the COMMAND.COM file in the subroutine responsible for displaying the results of the DOS FindFirst and FindNext functions on the screen) to call INT 9Fh. The virus contains an int 9Fh handler and “reduces” file lengths. Files modified in this way should be restored from software backups.

Contain the text OMICRON by PsychoBlast. They intercept int 10h, 1Ch, 21h, 9Fh.

Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Pages 103.104.

Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Here it’s how lucky.