Security Week 45: escape from the sandbox, bypassing EMET through WOW64, breaking into 000webhost

Quotes from the book by Yevgeny Kaspersky, which I attach to each news digest, well show the landscape of threats as of the beginning of the 90s of the last century, or rather, the location of the information security topic in relation to the rest of the world. Approximately before the beginning of the two thousandth, before the appearance of the first mass epidemics of still quite simple malware, information security was perceived as something even more complex than IT as a whole. These were good times, but they ended. In the mid-tenths, cyber threats are discussed by everyone: scientists, parliamentarians and even pop stars. This is clearly seen in the October digests of the most popular news: first we hit the theory of cryptography, and then suddenly jumped into the law. And yes, it’s necessary: ​​it all somehow affects cyberspace, even if not right now.

But in general, in fact, practical security as it was a complex purely technical topic, remained. The landscape of threats cannot be adequately assessed if one looks only at the reaction of society or only at scientific research. Those bills are important, but they have little in common with practice. They are connected with IT as a whole only because their text was typed on a computer in a Word. This is not a great discovery, but an obvious hint: it would be nice to strike a balance. It is gratifying that this week all the most popular news is from the practical sphere. No politics, no threats, potentially exploited in fifteen years. Everything is here and now, as we love. To live a moderate hardcore. Wiiii!
The previous series live here .

Xen closed dangerous vulnerability to allow sandbox escape
News Security Advisory . QubesOS Developer Advisory .

What they found: a vulnerability in the Xen hypervisor since version 3.4.0, which allows, under a number of conditions, to gain complete control over the system from a virtual machine by completing what is called “sandbox escape”. Eyewitnesses of events interpret the incident in different ways. A discreet Xen bulletin reads: “The code used to validate the data in the second-level tables can be circumvented if certain conditions are met.” The developers of QubesOS, an operating system with an emphasis on security, are expressed more simply: “Perhaps the worst [vulnerability] of all that we have seen in the Xen hypervisor. Unfortunately".
')
Xen Developer Reaction:



QubesOS Developer Reaction:



They can be understood: QubesOS uses virtualization to isolate tasks from each other as much as possible: work from entertainment, banking from porn sites with pictures and so on. Any vulnerability of the sandbox escape class covers all their carefully tuned protection with a copper basin, hence the frustration. And not only among them: the Xen code base is actively used by the same Amazon, and thousands more companies around the world. In particular, an expert from Chinese Alibaba reported this vulnerability. About Amazon, I recommend reading this article , describing the process of mitigation in some detail. But in general, this is understandable: you need to assess the scale of the problem, roll a patch, and do it quickly, but without breaking anything at the clients (ideally, not even rebooting their VM). Not an easy task.

But important, because, in theory, you can buy a dozen virtual machine kopecks in different data centers Amazon EC2, through them to gain control over the hosts and then go to an exciting quest for other servers. The key word here is theoretically : there was no proof and it is not expected, and I don’t think that Amazon relies only on Xen code for security. But to assess the magnitude of the problem, this is the right example. Do they often find such holes? More often than we would like. A QubesOS spokesperson writes that it’s not very noticeable in the Xen development process that security is a priority. The previous vulnerability (also sandbox escape, but with more severe restrictions on exploitation) was found at the end of July.

The WOW64 subsystem can be used to bypass EMET in Windows.
News Research company Duo Security.

Enhanced Mitigation Experience Toolkit is a set of Microsoft technologies aimed at increasing application security. In other words, it allows you to apply methods that complicate the life of hackers, such as ASLR and DEP, to programs, even if the developers themselves have not taken care of implementing these useful technologies on their own. This "convenience" leads to an obvious drawback: if the EMET system is bypassed, it will lead to a decrease in the level of protection not for a particular application, but for the whole set at once.

What Duo Security researchers have found is not even a vulnerability in the sense of an exploited hole in EMET. It’s rather a “leak at the interface” - EMET turned out to be less effective in a 64-bit OS, if you work with a program written for the 32-bit version. What happens often, if not almost always: for example, most browsers are a 32-bit process in a 64-bit environment. As a proof, I’ll attach a picture from my computer (and as a memory it eats!).



For the correct operation of such a design in Windows 64-bit there is a WoW64 subsystem (not “wow”, but Windows on Windows). The success of EMET depends on how well the protection technologies control someone else's code, and in the case of using WoW64, it turns out that they control this code poorly. As an example, researchers cite an exploit of the type of use-after-free vulnerability in Adobe Flash, discovered in January of this year. EMET is designed to deal with such memory tricks (if the developer could not), but a small modification of the exploit by experts allowed to completely circumvent the Windows protection system, due to the complexity of the interaction between EMET and WoW64.

No one can be trusted. Fortunately, this is still only a study, but the conclusion is clear: Microsoft is a great fellow with the EMET system, but you cannot fully rely on it. If the vulnerability is still detected and exploited, then you need to be able to block it in several ways, and the more there are, the better. Ideally, an exploit should not be allowed at all to boot onto a vulnerable OS or run in a vulnerable application, shooting it at a long-distance line, using a black list of questionable URLs. The story of Xen, though from a completely different opera, says the same thing: there should be a lot of security and, if possible, everywhere.

Cherry on the cake: some research saves me from the problem of finding funny pictures. Duo Security offers the following:



Hacking the 000webhost has caused a password leak of 13.5 million users
News FAQ hoster. The original post about hacking on Facebook (100 likes). The post of expert Troy Hunt with the details.

Theoretically, the history of the vulnerability with Xen can be used to crack a hosting provider: there are virtuals, there is a vulnerability, there is an exploit, there is an access to private information, for example, to the customer base. Hacking the Lithuanian hoster 000webhost shows that such a complicated tactic is not needed at all (even if possible), when there are much simpler and more reliable methods. In this case, they broke the outdated version of PHP on the company's website, through which they got access to customer data, including passwords. Troy Hunt, the owner of the Have I been pwned? Service, claims that user passwords were stored in plain text at the hoster.

Well, what's the point of using complex attack methods and exploring the vulnerability of ciphers, when in reality our data flow away like this? However, they reacted correctly to the 000webhost incident: they put out all the necessary information, dropped passwords, temporarily closed access to some services (and did not forget to let them know when access was reopened). In capital letters, bold, italics, and underlined in the FAQ on the incident, the following is written:



Well, I admit, italics were not there. But the idea is correct: do not use compromised passwords anywhere else. I would add that passwords should be unique in general. In the bright future of our more secure cyberworld will be just that.

What else happened:
Sotsinzhiniring news: mobile malware pretends to be a Word document with a well-known and understandable to all icon. Steals personal data, sends paid SMS, calls to paid phone numbers.

The patch of vulnerabilities Stagefright 2.0 has been released, the owners of Nexus smartphones and those who regularly synchronize the code base with the Android Open Source Project will receive it first. The rest, as usual, will have to wait from one month to never .

Antiquities:
Family "Flip"

When the infected file is launched, the MBR of the hard drive is affected (the size of the logical disk is reduced and the old MBR sector and its continuation are written into the free space). Files (COM and EXE) are typically infected at startup. In files, “Flip” is a “ghost” virus: it is encrypted, and the decryptor does not have a permanent segment (signature) longer than 2 bytes.

The second number at 4:00 pm “turns over” the screen: change (top-bottom, right-left) the arrangement of characters on the screen and turn over their image ('P' - 'b').

"Flip-2327" replaces a set of commands in files:
MOV DX, Data_1
MOV Data_2, DX
MOV DX, Data_3
MOV Data_4, DX

(this combination of commands is found in the COMMAND.COM file in the subroutine responsible for displaying the results of the DOS functions FindFirst and FindNext on the screen) to the INT 9Fh call. The virus contains an int 9Fh handler and “reduces” file lengths. Files modified in this way should be restored from software backups.

They contain the text OMICRON by PsychoBlast. They hook int 10h, 1Ch, 21h, 9Fh.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Pages 103,104.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.