Wednesday, September 24, 2014

Bash Vulnearbility: CVE-2014-6271

Test if you are vulnerable

Nothing really to add here. It makes me just thinking.... those things still happens (thxG). More here, here, here, here and here

UPDATE (click to enlarge):
From PasteBin (here)
  No Way... Wondering of many triggering vector would be out there


After some days from the original 6271, more than 5 vulnerabilities have been found on the same "way".  My favorite place to stay up-to-date on this topic is that Repository.
If you are still wondering what are the real risks for your company, here some simple examples from (here).

Find out your vulnerable cgi. Get it, and learn from the results...

As simple is a curl, remove everything you want (this is freaking scary).

And then be sure everything went as you whished.

Are you wondering.... if I could....  , ... , yes you can !

And, yes.. this vulnerability is "wormable", it might be used for spreading worms.

Wednesday, September 10, 2014

Nice Way To Evade Dynamic Analysis

One of the most important rules in building dynamic analysis environments is to avoid internet connection by the "potential malicious code". Indeed the "potential malicious code" would try to exploit the analysis system per se if an internet connection is available. To respect this basic rule, when a sandboxed code tries to open an internet page, the sandbox environment sends back a static 200 code, letting the "potential malicious code" compare the received page to the needed one. At such point the analysis system might try to "taint" and/or to apply its own detection mechanisms. 

A smart way to detect if a code is sandboxed or not is to try to reach out an unreachable internet site. If the code reads back 200 means the malicious code has been sandboxed since the malicious code is trying to reach an unreachable page. Following a simple python example.

Python2.7 Example

Following a simple JavaExample of the aforementioned technique.

A Java Example
Another tipycal example written in C

C esample
That trick has been known since 2012. Have a nice evasion.

Sunday, July 27, 2014

Cyber Intelligence abusing Internet Explorer to perform Targeted Attacks

A "mandatory" step to achieve a complete and successful targeted attack is the so called: "Cyber Intelligence Phase". By definition every targeted attack owns at leeast one specific characteristic which makes it perfectly fit for a given target. As you might want agree, one of the most important activities on develping a targeted attack is to exactly know what's running on the target system. The activity which takes care of "discovering" what's running on a given system is often called Cyber Intelligence (many of you on the Cyber Intelligence field might know a little bit different definition... but this is not the point). I wont write, in this quick and dirty blog post,  about cyber intelligence, indeed I want to point you out simple techniques to perform a target enumeration by using Internet Explorer. 

One of the most used techniques to perform Cyber Intelligence through Iinternet Explorer (IE) is the "abusing of resources" (res://) calls. This techniques afflicts IE from 6. to 8. It has been widely discussed in many online sites (for example: here, here, here and here). The technique is based on the assumption that IE blocks access to local file system trhough the "file://" call, but let the "res://" call to have access to image resources on file system. To exploit this IE's behavior the attacker might look at specific executables holding (as resource)  specific images. The res abuse://  has been used as Cyber Intelligent Weapon in serveral attacks including the "waterhole campagin afffecting a Thailand NGO" as posted here. The aforementioned behavior could be exploited as follows:

From AlienVault Article
The resList contains the list of executables files used to detect AntiVirus Software. Following a simple example taken from a real case. A similar code was found into Skipot too...

From AlienVault Article
Another used technique to map software into a target host sees its implementation through the Microsoft XMLDOM ActiveX Info disclosure vulnerability. This vulnerability has been videly discussed as well (here, here, and here). Basically Microsoft.XMLDOM is an ActiveX control that can run in Internet Explorer without requiring any prompting to the user. This object contains methods that can leak information about a computer system to the operator of a website. By looking at error codes provided by the XMLDOM ActiveX control, an attacker can check for the presence of local drive letters, directory names, files, as well as internal network addresses or websites. It is confirmed that this issue affects Internet Explorer versions 6 through 11 running on Microsoft Windows through version 8.1. The following code shows an example of the implementation of such a vulnerability. It looks for the presence of specific files into the target system.

Implementation of XMLDOM ActiveX vulns
 Following on this way attackers might use more XMLDOM vulnerabilities such as CVE-2014-0322 in which Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the "onpropertychange" attribute of a script element, as exploited in the wild in January and February 2014. MSF exploits are available out there. As WebSense discussed on his Security Blog Post attackers used the described technique to identify the Microsoft EMET presence on the target system. The same technique was found into Angler Exploit Kit and later on Goon and Cool Exploit Kits too.

Cyber Intelligence, is one of the most fascinating field. It does nothing bad per se, it simply offers detailed infos to next "phases". As always happens such infos could be used by legitim systems as well as by attacker' systems. As you problably have learned in the past years... whatch out what you browse  !

Tuesday, July 1, 2014

OpenSSL CCS Attack

As you might see from my posts frequency, last months have been pretty busy to me. My hacking team and I are working really hard and we are achieving incredibly results which makes me happy but really busy as well. OpenSSL CCS Attack (CVE-2014-0224) is almost one month old and not super interesting to be exploited so far, but since we got a great experience on that specific vulnerability I decided to "fix-it" on my memories in the following way.

CVE-2014-0224 bug exists since the very first OpenSSL release and this makes (at least to me) the whole story very fascinating. The issue basically happens because OpenSSL inappropriately accepts the ChangeCipherSpec (CCS) during a handshake. The following picture shows the correct way to implement a full protocol handshake.

The bug finds its own start if If a ChangeCipherSpec message is injected after the ServerHello but before the master secret has been generated  (ClientKeyExchange). At this point ssl3_do_change_cipher_spec generates the keys pair and the expected Finished hash for the handshake with an empty master secret (implementation bug). Moreover, the keys pair will be latched because further ChangeCipherSpec messages regenerate the expected Finished hash, but not new keys anymore. The following image shows the injection time frame.

The buggy code is the following one (the red numbers follow the above description):

int ssl3_do_change_cipher_spec(SSL *s)
 int i;
 const char *sender;
 int slen;

 if (s->state & SSL_ST_ACCEPT)

 if (s->s3->tmp.key_block == NULL)1
  if (s->session == NULL)
   /* might happen if dtls1_read_bytes() calls this */
   return (0);

  if (!s->method->ssl3_enc->setup_key_block(s)) return(0); 2

 if (!s->method->ssl3_enc->change_cipher_state(s,i))

 /* we have to record the message digest at
  * this point so we can get it before we read
  * the finished message */
 if (s->state & SSL_ST_CONNECT)

 i = s->method->ssl3_enc->final_finish_mac(s,
  sender,slen,s->s3->tmp.peer_finish_md); 3
 if (i == 0)
  return 0;
 s->s3->tmp.peer_finish_md_len = i;


Fortunately a patch is available here and a simple go tool to check the bug presence is here. For having more detailed infos, please visit (this post, and the original post).

Friday, May 16, 2014

MalControl Video

After the big success obtained through MalControl open source software, people asked me to record a simple video to show how it's supposed to work. I did use screencast this time.

This short quick'n dirty video shows how MalControl is supposed working. Please refer to the original GitHub page ( for every needs, tickets, request and so on. If you want to add your scraper and/or new frontend features please email me, every support is welcome.

Friday, May 2, 2014

Say Hello to MalControl: Malware Control Monitor

Gathering open data from malware analysis websites is the main target of Malware Control Monitor project. Visualize such a data by synthesize statistics highlighting where threats happen and what their impact is, could be useful to identify malware propagations.  

Open Data:

We actually scrape the following services:
  1. malwr 
  2. phishtank 
  3. urlquery 
  4. virscan 
  5. webinspector 
If you are a malware scan provider and you would like to actively partecipate to the project by giving some of your data, please contact us, we'll be glad to add your service to our project. Each visualized threat comes with the original and 'clickable' URL pointing to the original report. The original report owns all the specific information to the threat. 

Backend Structure:

A backround node scrapes websites to grab malware informations and fills up a mongod database. An API node serves API useful to frontend layer. Public API are available, please read doc/index.html for a full list of API. If you are interested on developing a website scraper take as example one of the scrapers available into the scrapers folder. Each scraper must be a function 'goScraper' ending-up saving scraped data to db using the functionsaveMalwareToDB respecting the db schema placed into schemas folder.

Screen Shots:

Screenshots talk laudly :) The following image shows how MalControl geolocalize malware and threts by grouping them by country. On the rigth side of the screen graphs with transparent gradient shows trends and totals of the analized sources. The top two charts show the "top countries" spreading malware/threats.  

The second top two charts shows how many malware/threats per hour Malcontrol is able to capture. This feature gives an instant view on how the "malware world" is progressing. The last two charts show the totals of malware/threats coming from the scraped sources. If you are interested on adding a source (by writing a scraper) please make a pull request or contact us.

 By drilling down into a specific malware/threat you will see the icons of the scraped sources. By clicking on such icons a tooltip pops-up within detailed informations on the selected malware/threat. The imformations are source specific and might be different from source to source. The following image shows you detailed information on a PhishTank which provides Malicius URL and Report specific Report.

Download and Contribute:

If you like to download it, try-it, put into your home room or helping us to develop MalControl, a good place to start over is on Github Repository: 

Super Important Note:

Everything is: as it is, this projects is still "under construction", what you see on Github Repo is an early version of the full stack implementation.  "Dont' even thik to use it on any production environment". Code might change, might be deleted and so on..

Monday, April 28, 2014

InfoSec London 2014

Just a quick note to my readers from London. I'll attend InfoSec London 2014, if you want to have a beer or share some "Security Thoughts" I'll be more then happy. Just drop me an email I'll answer you shortly.

While I'll be most of my time in M96 Stand, I'll try to attend some of the following sessions:

Hope to meet you there !